Although this is blogspam, it's a blogspam that I can actually support...<p>This is being covered a lot more widely because FB didn't just pay the guy. I know it wasn't about money for FB, but this is easily done a lot more damage then they would have expected and because of their inadequate handling of a single bug report, I can only feel satisfied as I think this will go down as a good case study of how not to be so dismissive with critical bugs.<p>(I still think they should pay the guy, and it should be double the $5k he would have expected to receive).
Once again, with feeling:<p>Even if Facebook wanted to ignore the terms of their bug bounty to pay this person, they probably can't. Bug bounties are legally fraught as it stands. Like every bug bounty, Facebook's is clear: if you use a real account, <i>you must have the consent of the accountholder</i>. That term isn't just there to make the Facebook security team's job easier; they also can't officially condone people compromising random user accounts.<p>Facebook also operates in a web of contractual and regulatory concerns, including California's breach notification laws. Exploitation of security vulnerabilities on Facebook's public properties outside of the terms of their bug bounty might be legally more akin to attacks than to pro-bono testing. Further, Facebook obviously needs the ability to reliably enforce their terms, lest they provide attackers with ammunition in a court case if they, for instance, Pastebin large amounts of Facebook user data. "Oh, I was just participating in the bug bounty program; I certainly wasn't setting out to sell $CELEBRITY's data to a tabloid."<p>Jim Denaro is an attorney specializing in stuff on this. We talked to him on Twitter this weekend when the story broke, and he said he would have advised against paying the bounty here too. Maybe we can get him to write a blog post.<p>I don't know how much "outrage" this has actually generated in the security community (maybe you can find links). The security people I've talked to think what happened makes perfect sense. Facebook didn't freak out, the acknowledged the bug report (once they understood it) and fixed the bug. They're just not paying a reward, because the bugfinder violated what is perhaps <i>the most important term in the bug bounty</i>.<p>One more thing: people on HN have a lot of strong opinions about Facebook, and while I don't share many of them, I understand and respect them. Understand though that the people working on Facebook's security are real and very smart and by and large not the least bit interested in screwing other bugfinders out of 0.00000000001% of Facebook's operating capital.
> Shreateh reports he will not, however, receive a bounty for his work — per an e-mail from Facebook, he violated the terms of the program when he hacked Zuckerberg’s account.<p>I think this is wrong. He posted on Sarah Godin's wall first before making any report, very clearly breaking the rules FB sets up for its whitehat program. They offer a way to create test accounts for exactly this. Posting on Mark Zuckerberg's wall has nothing to do with it.<p>As far as I'm concerned. FB's only mistake here was to brush him off instead of asking for further information from the initial report. Hardly newsworthy.
Why don't people just send things in their native language? If the platform for communication is serious (like a place to report security vulnerabilities), I would imagine they would spend the time/money to get a real translation if one was needed. Even Google Translate probably could've done a better job than this guy's original report.
I don't really understand what significance there is in stating that he is "unemployed." Does that somehow make his actions better/worse or the "hack" more/less tolerable?
The Facebook team should have taken better care of this, but the guy should have used one of the test accounts, or created a test account to demonstrate this, rather than fuck with someone else's private Facebook account.<p>Very bad form.
I find it interesting the amount of attention Hacker News is getting from this in mainstream media.<p>It makes me wonder, when people unfamiliar to Hacker News read about it in stories like this, do they get the wrong impression and think Hacker News is about the criminal kind of "hacking"?
hasn't this story been posted multiple times already?<p>Also it was made clear that he clearly violated the TOS and that his messages were unintelligible.
Its simple, Facebook can't set the precedent that people who exploit bugs in this way get paid. If they did, every Joe who felt that their particular bug wasn't being addressed quite right would think that public exploitation is the faster route to their reward.
What is wrong with journalists now days. Reading on hacker news and copy pasting stuff in to articles is not what i would call good journalism.<p>It would be nice if people could stop reposting shit from "average joe" news papers.
It would be a class act if Mark Z personally paid him the bounty or maybe if FB employees crowdfunded it.<p>Then they don't have to admit they were wrong and don't look like jerks. Best of both worlds.
This seems like a lack of communication skills on both parts imho, why would you respond: "this is not a bug" to a bug report you did not understand.
lol, you ad serving pricks! XD<p>Will someone send this Khalil Shreateh a brand new quad-core? TIA<p>Khalil Shreateh - respect. Let your name be indexed once more.
Facebook is a top tier company; they don't pay people attention, much less real money, without a track record of like Harvard or Stanford already.