Facebook has announced expansion of its bug bounty program to include third-party apps and websites that let people use their Facebook accounts to log in. The company has declared that it will pay at least $500 to anyone who reports vulnerabilities that involve “improper exposure of Facebook user access tokens.” Access tokens allow users to log into third – party applications and websites through Facebook. One condition that the company has put forth is that the bug should be discovered by passively viewing data sent to or from a device while the affected application is in use.
https://www.securityweek.com/facebook-offers-rewards-access-token-exposure-flaws