Facebook, at least send the guy a new laptop.<p>You don't even have to tell anyone you did it if you are worried about "rewarding non-preferred behavior".<p>Mute the commercial and watch this video to meet this guy and realize he was trying to help and you were being idiots:<p><a href="http://www.cnn.com/2013/08/19/tech/social-media/zuckerberg-facebook-hack/" rel="nofollow">http://www.cnn.com/2013/08/19/tech/social-media/zuckerberg-f...</a><p>He hasn't worked in two years and his laptop is missing 5 keys.
I am the only person out there that agrees he shouldn't receive a bounty?!<p>Facebook's stance is akin to "we don't negotiate with terrorists". Although obviously this wasn't malicious (or "terrorism"); just a case of a foolish newbie who failed to follow the rules.
This is wrong. The reporting guy clearly had white-hat intent and made an effort to alert Facebook to a real security problem. Because of miscommunication and some poor decisions, a message was posted to another user's wall. There was no malicious intent, this was done as a (admiteddly desperate) part of a conversation.<p>Now is the time for both sides to make their apologies and for Facebook to reward the hacker.
They're not going to pay him. To do so would be legally risky, and set a precedent that could be helpful to <i>actual</i> malicious attackers in civil litigation. "Don't use accounts without accountholder consent" is the single most important term in a bug bounty; if you don't honor it, you're not participating in the bug bounty, but rather doing something else.
They should pay the guy, not because it's the "right" thing to do, but because it maximises future bug reporting.<p>If people see that facebook back out of paying for legitimate, reported bugs, they'll seek other options to monetize them.
After reading the messages between the white hat and Facebook, I do believe it is the right decision do not pay him.<p>In his report he lacked the communication skills necessarily to make a useful bug report, which after my opinion caused the problem.
This is absolutely the right response; I think it's not a stretch that a security report might be provided by a "newcomer" or potentially even a complete layman.
It makes way more sense to offer some sort of sandbox to prove bugs to filter this kind of thing (instead of having less-than-stellar bug responders like the "this is not a bug" guy).<p>If you could create your own "non-friend" user mock object and demonstrate the bug, no one has to parse your bad language. He proved the bug through a live test - doesn't it make sense to provide this kind of testing ground to whitehats?<p>I'm not a hacker, just a plain old developer. But in my world, when I want to explain something, I do it with test-case code and live examples, not through long-winded emails or bug reports.
I guess he would have made more money by selling the exploit to someone with tons of fake accounts and botnet. Then they would have used it to flood walls with malware and advertising links and generic spam.
Facebook can't possibly pay him. Exploiting a bug on the live site is not something they can reward, even if they want to. It would set the wrong kind of precedent, signaling that it's OK to do whatever to demo an exploit on Facebook.<p>That said, facebook will surely find some deal so they end up with positive PR.
This could be soooo easy. Just provide a way to create a temporary account for tests that is not "a real user" and offer it on request. Creating and deleting these should not be a problem - if a report is false, the account won't change anyway.