I am the only person out there that agrees he shouldn't receive a bounty?!
Facebook's stance is akin to "we don't negotiate with terrorists". Although obviously this wasn't malicious (or "terrorism"); just a case of a foolish newbie who failed to follow the rules.
> just a case of a foolish newbie who failed to follow the rules
How was he foolish? Also the rules weren't written in his first language. Intent matters[1]. Facebook needs to be the first place people like him go, and be welcoming.
Facebook could do many things that don't involve paying a bounty directly. For example they could make a donation of the same amount to a suitable school or charity in his area.
You have to remember why these bounty programs exist in the first place. The whole point is to discourage people from selling the exploits to more unscrupulous parties. This guy had good intentions and he made a mistake because he wasn't as familiar with the ToS as he should have been. They should warn him about following the ToS in the future, and then they should give him his bounty. Foolish newbies with noble intentions deserve second chances.
This is wrong. The reporting guy clearly had white-hat intent and made an effort to alert Facebook to a real security problem. Because of miscommunication and some poor decisions, a message was posted to another user's wall. There was no malicious intent, this was done as a (admiteddly desperate) part of a conversation.
Now is the time for both sides to make their apologies and for Facebook to reward the hacker.
They're not going to pay him. To do so would be legally risky, and set a precedent that could be helpful to actual malicious attackers in civil litigation. "Don't use accounts without accountholder consent" is the single most important term in a bug bounty; if you don't honor it, you're not participating in the bug bounty, but rather doing something else.
I don't see why paying him would necessarily have legal consequence: Facebook could make a discretionary payment while making it clear it's outside the scope of the bug bounty terms (indeed, by stating that he was doing something else).
> lacked the communication skills necessarily to make a useful bug report
If anything, he had great communication skills. He overcame a non-native language barrier, while being conversationally blocked, and still made his point clearly.
Besides, are communication skills the important skill here? I would say, not.
Facebook do not pay white hat hackers at a level appropriate to their skill and work ($1m total? that's all?!) and now it's also clear they are looking for technicalities to avoid payment.
Radle, perhaps more communication skills are needed to understand Facebook's response here:
I've reviewed our communication with this researcher, and I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him.
Facebook says Facebook failed communication. "He tried, we failed," is pretty cut and dried.
"lacked the communication skills"... seriously? how do you know? just because English is not his primary language and he had hard time expressing himself in an unfamiliar language does not mean that he "lacked the communication skills".
This is absolutely the right response; I think it's not a stretch that a security report might be provided by a "newcomer" or potentially even a complete layman.
It makes way more sense to offer some sort of sandbox to prove bugs to filter this kind of thing (instead of having less-than-stellar bug responders like the "this is not a bug" guy).
If you could create your own "non-friend" user mock object and demonstrate the bug, no one has to parse your bad language. He proved the bug through a live test - doesn't it make sense to provide this kind of testing ground to whitehats?
I'm not a hacker, just a plain old developer. But in my world, when I want to explain something, I do it with test-case code and live examples, not through long-winded emails or bug reports.
The whitehat program page clearly spells out that you should use test accounts and then links you to a place to view/create test accounts: https://www.facebook.com/whitehat/accounts/
I guess he would have made more money by selling the exploit to someone with tons of fake accounts and botnet. Then they would have used it to flood walls with malware and advertising links and generic spam.
Facebook can't possibly pay him. Exploiting a bug on the live site is not something they can reward, even if they want to. It would set the wrong kind of precedent, signaling that it's OK to do whatever to demo an exploit on Facebook.
That said, facebook will surely find some deal so they end up with positive PR.
This could be soooo easy. Just provide a way to create a temporary account for tests that is not "a real user" and offer it on request. Creating and deleting these should not be a problem - if a report is false, the account won't change anyway.
[+] [-] ck2|12 years ago|reply
You don't even have to tell anyone you did it if you are worried about "rewarding non-preferred behavior".
Mute the commercial and watch this video to meet this guy and realize he was trying to help and you were being idiots:
http://www.cnn.com/2013/08/19/tech/social-media/zuckerberg-f...
He hasn't worked in two years and his laptop is missing 5 keys.
[+] [-] spicyj|12 years ago|reply
[+] [-] mafro|12 years ago|reply
Facebook's stance is akin to "we don't negotiate with terrorists". Although obviously this wasn't malicious (or "terrorism"); just a case of a foolish newbie who failed to follow the rules.
[+] [-] rogerbinns|12 years ago|reply
How was he foolish? Also the rules weren't written in his first language. Intent matters[1]. Facebook needs to be the first place people like him go, and be welcoming.
Facebook could do many things that don't involve paying a bounty directly. For example they could make a donation of the same amount to a suitable school or charity in his area.
[1] For example we do that when people are killed http://en.wikipedia.org/wiki/Murder_(United_States_law)#Degr...
[+] [-] arthulia|12 years ago|reply
[+] [-] cheald|12 years ago|reply
[+] [-] abhididdigi|12 years ago|reply
He did follow the rules. Just that he didn't know to express them. And what made you think he is foolish?
[+] [-] jasonlotito|12 years ago|reply
[+] [-] jwr|12 years ago|reply
Now is the time for both sides to make their apologies and for Facebook to reward the hacker.
[+] [-] tptacek|12 years ago|reply
[+] [-] ronaldx|12 years ago|reply
[+] [-] new299|12 years ago|reply
If people see that facebook back out of paying for legitimate, reported bugs, they'll seek other options to monetize them.
[+] [-] Radle|12 years ago|reply
In his report he lacked the communication skills necessarily to make a useful bug report, which after my opinion caused the problem.
[+] [-] ronaldx|12 years ago|reply
If anything, he had great communication skills. He overcame a non-native language barrier, while being conversationally blocked, and still made his point clearly.
Besides, are communication skills the important skill here? I would say, not.
Facebook do not pay white hat hackers at a level appropriate to their skill and work ($1m total? that's all?!) and now it's also clear they are looking for technicalities to avoid payment.
[+] [-] Terretta|12 years ago|reply
I've reviewed our communication with this researcher, and I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him.
Facebook says Facebook failed communication. "He tried, we failed," is pretty cut and dried.
[+] [-] prawn|12 years ago|reply
[+] [-] jaxb|12 years ago|reply
If you are taking reports from users about security problems, treat every one as real until proven otherwise.
[+] [-] rytis|12 years ago|reply
[+] [-] thezilch|12 years ago|reply
[+] [-] jcutrell|12 years ago|reply
If you could create your own "non-friend" user mock object and demonstrate the bug, no one has to parse your bad language. He proved the bug through a live test - doesn't it make sense to provide this kind of testing ground to whitehats?
I'm not a hacker, just a plain old developer. But in my world, when I want to explain something, I do it with test-case code and live examples, not through long-winded emails or bug reports.
[+] [-] jack-r-abbit|12 years ago|reply
[+] [-] Sami_Lehtinen|12 years ago|reply
[+] [-] zwdr|12 years ago|reply
That said, facebook will surely find some deal so they end up with positive PR.
[+] [-] arnehormann|12 years ago|reply
[+] [-] gregd|12 years ago|reply
[+] [-] andyhmltn|12 years ago|reply