Instagram's Million Dollar Bug

Thank you to everybody who cautioned against judgment before hearing the whole story. Here is my response: <a href="https:&#x2F;&#x2F;www.facebook.com&#x2F;notes&#x2F;alex-stamos&#x2F;bug-bounty-ethics&#x2F;10153799951452929" rel="nofollow">https:&#x2F;&#x2F;www.facebook.com&#x2F;notes&#x2F;alex-stamos&#x2F;bug-bounty-ethics...</a>

In stories like this, try first to remember that Facebook isn&#x27;t a single entity with a single set of opinions, but rather a huge collection of people who came to the company at different times and different points in their career.<p>Alex Stamos is a good person† who has been doing vulnerability research since the 1990s. He&#x27;s built a reputation for understanding and defending vulnerability researchers. He hasn&#x27;t been at Facebook long.<p>To that, add the fact that there&#x27;s just no way that this is the first person to have reported an RCE to Facebook&#x27;s bug bounty. Ask anyone who does this work professionally: <i>every</i> network has old crufty bug-ridden stuff laying around (that&#x27;s why we freak out so much about stuff like the Rails XML&#x2F;YAML bug, Heartbleed, and Shellshock!), and <i>every</i> large codebase has horrible flaws in it. When you run a bug bounty, people spot stuff like this.<p>So I&#x27;m left wondering what the other side of this story is.<p>Some of the facts that this person wrote up are suggestive of why Facebook&#x27;s team may have been alarmed.<p>It seems like what could have happened here is:<p>1. This person finds RCE in a stale admin console (that is a legit and serious finding!). Being a professional pentester, their instinct is that having owned up a machine behind a firewall, there&#x27;s probably a bonanza of stuff they now have access to. But the machine itself sure looks like an old deployment artifact, not a valuable asset Fb wants to protect.<p>2. Anticipating that Fb will pay hundreds and not thousands of dollars for a bug they will fix by simply nuking a machine they didn&#x27;t know was exposed to begin with, the tester pivots from RCE to dumping files from the machine to see where they can go. Sure enough: it&#x27;s a bonanza.<p>3. They report the RCE. Fb confirms receipt but doesn&#x27;t respond right away.<p>4. A day later, they report a second &quot;finding&quot; that is the product of using the RCE they already reported to explore the system.<p>5. Fb nukes the server, confirms the RCE, pays out $2500 for it, declines to pay for the second finding, and asks the tester not to use RCEs to explore their systems.<p>6. <i>More than a month after Facebook has nuked the server</i> they found the RCE in, they report another finding based on AWS keys they took from the server.<p>So Facebook has a bug bounty participant who has gained access to AWS keys by pivoting from a Rails RCE on a server, and who apparently has <i>retained</i> those keys and is using them to explore Instagram&#x27;s AWS environment.<p>So, some thoughts:<p>A. It sucks that Facebook had a machine deployed that had AWS credentials on it that led to the keys to the Instagram kingdom. Nobody is going to argue that, though again: every network sucks in similar ways. Sorry.<p>B. If I was in Alex&#x27;s shoes I would flip the fuck out about some bug bounty participant walking around with a laptop that had access to lord knows how many different AWS resources inside of Instagram. Alex is a smart guy with an absurdly smart team and I assume the AWS resources have been rekeyed by now, but still, how sure were they of that on December 1?<p>C. <i>Don&#x27;t ever do anything like what this person did</i> when you test machines you don&#x27;t own. You could get fired for doing that working at a pentest firm even when you&#x27;re being paid by a client to look for vulnerabilities! If you have to ask whether you&#x27;re allowed to pivot, don&#x27;t do it until the target says it&#x27;s OK. Pivoting like this is a bright line between security testing and hacking.<p>This seems like a genuinely shitty situation for everyone involved. It&#x27;s a reason why I would be extremely hesitant to ever stand up a bug bounty program at a company I worked for, and a reason why I&#x27;m impressed by big companies that have the guts to run bounty programs at all.<p>† <i>(and, to be clear, a friend, though a pretty distant one; I am biased here.)</i>

As a security researcher and engineer, I&#x27;d like to point out the following, without taking sides:<p>1. Facebook is <i>not</i> going ballistic because this is a RCE report. They have received high and critical severity reports many times before and acted peaceably, up to and including a prior RCE reported in 2013 by Reginaldo Silva (who now works there!).<p>2. The researcher used the vulnerability to dump data. This is well known to be a huge no-no in the security industry. I see a lot of rage here from software engineers - look at the responses from <i>actual</i> security folks in this thread, and ask your infosec friends. Most, perhaps even all, will tell you that you <i>never</i> pivot or continue an exploit past proof of its existence. You absolutely do not dump data.<p>3. When you dump data, you become a flight risk. It means that you have sensitive information in your possession and they have no idea what you&#x27;ll do with it. The Facebook Whitehat TOS explicitly forbid getting sensitive data that is not your own using an exploit. There is a precedent in the security industry for employers becoming involved for egregious &quot;malpractice&quot; with regards to an individual reporting a bug. A personal friend and business partner of mine left his job after publicly reporting a huge breach back in 2012 (I agree with his decision there), and Charlie Miller was fired by Accuvant after the App Store fiasco. Consider that Facebook is not the first company to do this, and that while it is a painful decision, it is not an insane decision. You might not agree with it, but there is a precedent of this happening.<p>I&#x27;m not taking sides here. I don&#x27;t know that I would have done the same as Alex Stamos here, but it&#x27;s a tough call. I do believe the researcher here is being disingenuous about the story considering that a data dump is not an innocuous thing to do.<p>I&#x27;m balancing out the details here because I know it will be easy to see &quot;Facebook calls researcher&#x27;s employer and screws him for reporting a huge security bug&quot; and get pitchforks. Facebook might be in the wrong here, but consider that the story is much more nuanced than that <i>and</i> that Facebook has an otherwise <i>excellent</i> bug bounty history.<p>Edited for visibility: &#x27;tptacek mentioned downthread that Alex Stamos issued a response, highlighting this particular quote:<p><i>At this point, it was reasonable to believe that Wes was operating on behalf of Synack. His account on our portal mentions Synack as his affiliation, he has interacted with us using a synack.com email address, and he has written blog posts that are used by Synack for marketing purposes.</i><p>Viewed in this light (and I don&#x27;t believe Stamos would willfully fabricate a story like this), it is very reasonable to escalate to an employer if they seem to be affiliated with a security researcher&#x27;s report.

Summarizing what I&#x27;ve seen here in analogy form:<p><pre><code> Researcher: &quot;I found a way to unlock your door&quot; Facebook: &quot;Thanks, here&#x27;s $2500. We&#x27;ve now fixed the problem.&quot; Researcher: &quot;Oh, BTW when I unlocked your door I rifled through your stuff and found your passport, your banking details, and a lot of personal information. I&#x27;ve kept copies of these. I also found the keys to your car and looked inside, where I found a box in the trunk. That box contained sensitive documents including an employee badge &#x2F; proximity card. I used this card to gain access to your workplace. In doing this, I also managed to get into the janitor&#x27;s closet which had a set of keys. I used these keys to get access to the complete building and took a look at all the HR files and rifled through a bunch of corporate contracts.&quot; Facebook: &lt;gobsmacked&gt; Researcher: &quot;Can I have my million bucks now?&quot; </code></pre> Where the researcher stepped over the line is using the door attack to escalate further attacks. It&#x27;s little different than finding a way to reliably impersonate Mark Zuckerberg&#x27;s credentials in such a way that others will 100% believe it. That finding is worthy of a reward. But then using that vulnerability to social engineer others to reveal passwords, using that as a launching point for mounting further attacks is going way too far.

Note to self: Don&#x27;t report any chained attacks to any large companies bug bounty programs. Alex Stamos contacting the employer of the bug reporter is completely out of line.<p>This is the fastest and easiest way for Facebook to stop good submissions to their bug bounty program.

In my opinion, the author is feigning shock...<p>He claims to have downloaded the content listed below. And he is surprised that Facebook responds coldly? Note the string &quot;private keys&quot; in this list... Doesn&#x27;t the author know how long it will take them to recover from this breech? How much it will cost them?<p>On the other hand, it does sort of re-enforce the idea that he should be paid handsomely, doesn&#x27;t it? :)<p><pre><code> * Static content for Instagram.com websites. Write access was not tested, but seemed likely. * Source code for fairly recent versions of the Instagram server backend, covering all API endpoints, some image processing libraries, etc. * SSL certificates and private keys, including both instagram.com and *.instagram.com * Secret keys used to sign authentication cookies for Instagram * OAuth and other Instagram API keys * Email server credentials * iOS and Android app signing keys * iOS Push Notifications keys * Twitter API keys * Facebook API keys * Flickr API keys * Tumblr API keys * Foursquare API keys * Recaptcha key-pair</code></pre>

Facebook&#x27;s calling his employer could be slanderous, possibly even criminal harassment.<p>Between stories like this demonstrating companies&#x27; apparent lack of understanding of whitehat infosec, and Weev&#x27;s incarceration demonstrating the American legal system&#x27;s apparent lack of understanding of whitehat infosec, it&#x27;s hard to believe people still participate in such endeavors.

I think the solution here is to pay $100k+ for RCE exploits and explicitly forbid pivoting access after the first vulnerability is discovered. Facebook offered $2,500 for a security vulnerability that could do much greater damage. What kind of vulnerability is a &quot;million-dollar bug&quot; if not RCE? How would you possibly have a &quot;million-dollar bug&quot; that is a single-point-of-contact bug and how would you verify that Facebook is paying you fairly? They didn&#x27;t seem to in this case.

Alex responds:<p><a href="https:&#x2F;&#x2F;www.facebook.com&#x2F;notes&#x2F;alex-stamos&#x2F;bug-bounty-ethics&#x2F;10153799951452929" rel="nofollow">https:&#x2F;&#x2F;www.facebook.com&#x2F;notes&#x2F;alex-stamos&#x2F;bug-bounty-ethics...</a><p>Critically:<p><i>At this point, it was reasonable to believe that Wes was operating on behalf of Synack. His account on our portal mentions Synack as his affiliation, he has interacted with us using a synack.com email address, and he has written blog posts that are used by Synack for marketing purposes.</i><p>Alex&#x27;s timeline seems like it matches what I wrote earlier:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;edit?id=10754627" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;edit?id=10754627</a>

So if I&#x27;m reading this correctly, this massively compromising attack was made possible by doing a little research? e.g. Knowing about one of the admin services used by Instagram, looking in that admin&#x27;s public repo, and musing whether Instagram had bothered to change the secret key from the default entry in the repo?<p>We&#x27;ll probably never see a post mortem on this but it&#x27;d be interesting to hear how this got moved to production...: was the Sensu admin panel a nice scaffold for internal use and by the time they decided to make it remote, everyone just assumed the secret key had been changed at some point?

The thing that gets to me is the lack of gratitude on Facebook&#x27;s end. Instead, they turn him into the villain for breaking imaginary rules. What would have been the harm in slapping him on the wrist and giving him some sort of reward for exposing a huge vulnerability? Instead, they eat the reward and shit on the guy who produced it. Real classy FB.

Sort of an interesting conflict these bug bounties create. You have someone who wants to hack as deeply as possible to have a bigger bug bounty based on stated rules, but at the same time they will invalidate your bounty if they arbitrarily determine it as too much?<p>I imagine the initial report by his friend that the server was accessibly would not be a very high paying bounty compared to one accessing the server. But how deep is too deep?

&gt; With the RCE it was simple to read the configuration file to gain the credentials necessary for this database. I connected and dumped the contents of the users table.<p>This was his mistake. This is a huge no-no. You never dump data unless you have permission. It&#x27;s against the terms of most bounty programs.

How likely is it that this sort of a thing stopped being a technical item of discussion and turned into a political one by the security contacts at Facebook?<p>I&#x27;m always curious about what sort of internal pressures would lead people to take a well-reported bug that the author did not take malicious action on and blow it up to the point that the CSO is getting involved.

Not only did this person make several large and irresponsible mistakes in the process of uncovering and reporting the bug (dumping tons of private user information without permission, going far beyond simply discovering and reporting the bug, etc.), but they also keep referring to Ruby (&quot;running Ruby 3.x, which is susceptible to code execution via the Ruby session cookie&quot;) as the vulnerable piece, when in reality, it&#x27;s the version of <i>Rails</i> that had the vulnerability.

@secalex I believe that the researcher clearly fulfilled the primary objective of bug bounty programs by exposing a weakness of yours which you, inspite of having large and competent teams, weren&#x27;t aware of and had not sealed yet. And he did nothing to use that information with a malicious intent.<p>Your actions are detrimental to your relations to such good mannered external security researchers who are helping you keeping you infrastructure safe from the bad guys. You should have been a little more sensitive and a lot more generous that you have been.

Wow what happened to Instagram?<p>Facebook really needs to go the way of myspace if they keep this sort of behavior up.<p>How can a CSO at Facebook legitimately tell a CEO of another organization that a vulnerability of &quot;little value&quot; was found when the researchers has your signing certs? Does he lack relevant info or is he just incompetent?<p>This is tantamount to mafia tactics. Hint, hint, we&#x27;re facebook so get your people in line or else.

If companies are going to keep trying to get out of paying bounties for insane vulnerabilities like this, white hat researchers will just move onto something else, leaving the bounties to be paid out by the black market. Bounties aside, contacting his employer is a disgusting move.

The fact that Alex Stamos from Facebook contacted this researchers employer talking about potential lawsuits to threaten the employee via a proxy is probably the single most damning thing in the entire article.<p>That to me is entirely unacceptable, if you want to threaten someone then have your legal team send them a cease and desist. Don&#x27;t go after their livelihood.

This is as clear cut a case of full exploit with escalation of privilege all the way to full services source code read access, SSL private keys, full admin AWS credentials, services API keys from Twitter to analytics, email server logins, the list goes on.. all of this without even looking at a single user profile or violating user privacy, and it&#x27;s not a legit security bug? This has to be worth more than $2500, and I think Facebook sets a bad precedent where folks won&#x27;t disclose big security issues because of how unclear the TOS are, so that they can avoid embarrassment.

October 22nd: Weak passwords found and reported. Also grabbed the AWS keys from the config file.<p>October 24th: Server no longer reachable. Tested keys and they still worked, assumed to have went on a download spree.<p>Seems like this is the biggest issue with how Facebook handled this case. No one looked to see what Wes accessed when he logged in with the weak credentials? No one realized he could have accessed the AWS key?<p>To treat what Wes found as a minor bug and then fuck up like that is sort of hilarious.

Ridiculous.<p>This is why many security professionals become disillusioned with bounty programs. This story is not uncommon at all.<p>Bounty programs, while presenting a tempting incentive to practice one&#x27;s skills are a very poor income strategy.<p>You are essentially working, unpaid, for organizations who are just as likely to ignore you (or report you to law enforcement) as they are to pay you for your findings.<p>No wonder so many young talented security pros are easily tempted to trade their findings for the safety of a crypto transaction with an anonymous buyer than they are to submit them through official channels.

Wait a sec.<p>Look at his timeline again.<p>He tested the AWS creds in October.<p>They shut the server off on October 24.<p>He reported the AWS creds in December.<p>Did he tell them about the AWS creds before then? His mails don&#x27;t say that he did.<p>If he didn&#x27;t, <i>why didn&#x27;t he?</i>

My two cents.<p>It seems that people defending Facebook&#x27;s behaviour in this thread have collectively lost sight of what the point of a bug bounty is to begin with - to encourage people to report issues, rather than sell them.<p>We now have people arguing that &quot;it is not acceptable to pivot beyond the initial intrusion for a bug bounty&quot;, even though <i>a malicious attacker would have done the exact same thing</i>. As long as standard no-damage rules are followed, where&#x27;s the problem?<p>The bug bounty program is working exactly as intended, but the researcher is getting dinged over arbitrary rules. As somebody else here mentioned already: the reason blackhat work still pays, is because such arbitrary and bureaucratic rules <i>do not exist there</i>.<p>We should not forget that bug bounties are a tool, not a goal - the goal is to convince researchers to report rather than sell, and <i>every</i> part of a bug bounty and its rules must be designed accordingly.<p>Also: Why the hell were those AWS credentials not revoked immediately after compromise? This constitutes a grossly negligent failure on Facebook&#x27;s part to assess impact, <i>on top</i> of their existing failure to have the &quot;keys to the kingdom&quot; on a single server to begin with.<p>And frankly, that failure only reinforces the need for the researcher pivoting into further systems, rather than just keeping it to a PoC - because evidently, <i>nobody</i> is going to assess impact at Facebook, if the researcher doesn&#x27;t do it himself.

It&#x27;s clear to me after reading <i>between the lines</i> of both sides of the story, that Instagram&#x2F;FB sec team screwed up not acknowledging the severity of the bug and paying accordingly to the researcher.<p>Why get mad about a &quot;low level bug&quot;... I mean, if you can dump private user pics from a photo sharing app, how is this low level? really?<p>It&#x27;s also pretty clear that the researcher shouldn&#x27;t have dumped data although most likely he reserved this hidden card for later since he was expecting the lowball... but there are smarter ways to reply to lowballing.<p>IMO poorly managed on both parts.

An interesting decision on Alex&#x27;s part to only pay the $2500 for the RCE bug.<p>On one hand, this signals to anyone else who might want to disclose security issues that Facebook bounties don&#x27;t pay out anywhere proportionally near the full potential damage impact of the issue.<p>On the other hand, if they pay out a lot more now, they&#x27;re signalling that if you find a vulnerability, you need to dig deeper in order to have insurance in case Facebook gets stingy.<p>Probably the best outcome would have been to pay out a more proportional bounty, even though Wes&#x27; exploration was beyond what&#x27;s generally acceptable, so that Facebook&#x27;s bounty program reputation is preserved.<p>That or press criminal charges to discourage any other researchers from going over the line.

It&#x27;s not the main point of the post, which is Facebook&#x27;s response to the researcher, but I&#x27;m really surprised that they&#x27;re storing unencrypted secret keys and source code on S3. They trust Amazon a lot and have no fear that somebody could eavesdrop Amazon servers (if I were a black hat I&#x27;d go for the accounts of the big guys, not for the one of a random guy)<p><a href="http:&#x2F;&#x2F;www.exfiltrated.com&#x2F;research-Instagram-RCE.php#One_Key" rel="nofollow">http:&#x2F;&#x2F;www.exfiltrated.com&#x2F;research-Instagram-RCE.php#One_Ke...</a><p>I wonder what any claim of protecting user&#x27;s privacy is worth when they leave their credentials unprotected in that way.<p><a href="https:&#x2F;&#x2F;www.instagram.com&#x2F;about&#x2F;legal&#x2F;privacy&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.instagram.com&#x2F;about&#x2F;legal&#x2F;privacy&#x2F;</a><p>&quot;We use commercially reasonable safeguards to help keep the information collected through the Service secure [...]&quot;<p>Ops.<p>I can imagine why they didn&#x27;t appreciate the efforts of the researcher. Hopefully they&#x27;ll change their current practices.

The initial bug in Ruby&#x2F;Rails is striking in its stupidity.[1] You can send something to Ruby&#x2F;Rails in a session cookie which, when unmarshalled, stores into <i>any named global variable in the namespace of the responding program</i>. It&#x27;s not a buffer overflow or a bug like that. It&#x27;s <i>deliberately designed to work that way</i>. It&#x27;s like doing &quot;eval&quot; on untrusted input. This was on YC years ago.[2] Why was anything so idiotic ever put in Ruby at all?<p>Something like this makes you suspect a deliberate backdoor. Can the person who put this into Ruby&#x2F;Rails be identified?<p>[1] <a href="http:&#x2F;&#x2F;robertheaton.com&#x2F;2013&#x2F;07&#x2F;22&#x2F;how-to-hack-a-rails-app-using-its-secret-token&#x2F;" rel="nofollow">http:&#x2F;&#x2F;robertheaton.com&#x2F;2013&#x2F;07&#x2F;22&#x2F;how-to-hack-a-rails-app-u...</a> [2] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6110386" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6110386</a>

Posting this write-up might be the last thing the researcher should have done--from a criminal liability perspective. First, the negative press might serve to piss off Facebook (who could have some perspective we are not privy to here). From Facebook&#x27;s angle, the criminal aspect here may be a much closer issue, and this write-up could serve as the tipping point. Second, as a party admission, this post is could very well be admissible against the researcher at trial. Without a doubt, it can be used to contradict any testimony he might provide in defense of his actions here. (So, you HAD read the ToS, correct?) Even without Facebook&#x27;s &quot;pressing charges&quot;, a US Attorney with political aspirations might just decide she has enough here to move forward against the researcher in an effort to appear &quot;tough on cybercrime&quot;. This whitehat stuff is murky territory for sure.

I don&#x27;t see how the CSO&#x27;s response makes sense for Facebook&#x27;s security interests. As CSO, it is in your interest to allow a researcher to exploit an RCE to its furthest. Otherwise, you would only ever allow researchers to inoculate your outest layer of protection, while leaving any inner level untested and thus less secure.<p>If indeed only credentials and technical information were obtained, all aimed at finding more security issues, Facebook should be thankful for finding all the vulnerabilities across all their security layers.

If accurate (which it seems to be), a very disappointing handling by Facebook.

When reading the author&#x27;s article, it would certainly be easy to grab the pitchforks. It is actually a pretty interesting&#x2F;useful vulnerability that some low-level AWS keys were able to be escalated to some highly privileged keys, and that none of these keys where IP-whitelisted.<p>However, the biggest issue I see here is that the author (in their own timeline at the bottom of this post) says that they discovered the AWS keys on October 24, yet they did not report this to Facebook until December 1 (in the meantime, they were having various discussions with Facebook about whether their other submissions were valid). That is seriously concerning behavior, if you find come across some live AWS keys this should be reported immediately, you should absolutely not just sit on them for over a month as if they are some sort of bargaining chip.

If accurate, seems like a pretty counterproductive way to handle this.

Alex Stamos (Facebook CSO) just posted an official response:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10755060" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10755060</a>

Cached version: <a href="https:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:vR9o3UYqgIoJ:exfiltrated.com&#x2F;research-Instagram-RCE.php&amp;hl=en&amp;gl=us&amp;strip=1&amp;vwsrc=0" rel="nofollow">https:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:vR9o3U...</a>

Why call the CEO and not his Mom?

On the one hand I got a little squicked in the story when he started cracking passwords, but on the other hand I kind of assumed that bug bounty systems would want the tester to find out how deep the bug goes. Otherwise the depth of your security isn&#x27;t being tested.

The lessons i learned here are: 1) any RCE vulnerability of Instagram leads to unrestricted access to user data. Facebook knows it, does nothing about it. 2) facebook will not pay you your bug bounty reward, but will complain to your employer.

I really don&#x27;t want to imagine what would of happened if he wasn&#x27;t part of the bug bounty and instead after malicious intent how bad things would of gone.

Looks like the sites&#x27; down. Mirror&#x2F;Google cached page: <a href="http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:vR9o3UYqgIoJ:exfiltrated.com&#x2F;research-Instagram-RCE.php+&amp;cd=2&amp;hl=en&amp;ct=clnk&amp;gl=us" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:vR9o3UY...</a>

It&#x27;s really simple. This is the beginning of the end of Facebook. With their fake clicks on their ads and what not.

imo Facebook should be grateful for people like this instead of burning them

I&#x27;d like to see a service where a company&#x27;s source code&#x2F;database&#x2F;confidential info is placed in escrow pending the payout from a bug bounty. Or, perhaps more likely, some sort of 3rd-party arbitration.

that&#x27;s a lot of posturing on both sides. FB had some severe vulnerabilities that the author certainly pointed out. And the author could have read the bucket contents without downloading them. FB clammed up. The author overreached. Neither ends up really winning anything here. Tis a shame.

Nerd owns FB and wants to rub it in their face. FB power plays nerd. Nerd publicly pawns FB in retaliation.

CSO slaps a legal threat to a security researcher and talks about ETHIC? Good job man, gooooooooooooooooooooooooooooooooood job.

Bad form on Mr. Stamos&#x27; part.<p>edit: if it&#x27;s indeed true, but I have my doubts that&#x27;s the case. Hard to say either way.

I thought their stack was django?

&gt; Ruby 3.x<p>Rails 3.x<i>

Is it normal for security researchers to use Windows for their OS?

Once again we see how people act hard-ass in sight of gaping vulnerability in their system. Be it law system, computer system or moral system, you will see denial and intimidation.<p>We should have &quot;pastebin hat&quot; list and Facebook should definitely be on it.<p>The problem with humans is that they will rather go extinct over such things than behave properly. You could try to teach us by painful example but death will probably come first.

&quot;As a researcher on the Facebook program, the expectation is that you report a vulnerability as soon as you find it. We discourage escalating or trying to escalate access as doing so might make your report ineligible for a bounty. Our team accesses the severity of the reported vulnerability and we typically pay based on its potential use rather than rely on what&#x27;s been demonstrated by the researcher.&quot;<p>Well, FB feels your bug bounty is worth $200? Strike that figure. We feel like your bug bounty is worth a $100 advertising credit, if you buy $100 in advertising? Next time just report the bug. Thanks!<p>(I don&#x27;t know if my innate dislike of FB, or I feel it shouldn&#x27;t be up to a company to determine what they feel a bug is worth? If you are going to have a bug program--put in some Very solid rules? They shouldn&#x27;t be just winging it at this point? It&#x27;s not some cute little start up? It&#x27;s a huge machine that&#x27;s making a fortune off it&#x27;s victim?<p>I&#x27;m still not sure if FB really cared about this hacker&#x27;s escalation of a potential attack, or it&#x27;s about money? Would I want a hacker to show me my vulnerability with my clients information--no, but make that crystal clear in the TOS.)

Am I the only one mildly annoyed that the author constantly conflated Rails and Ruby?

In general, if you have a green handle, you shouldn&#x27;t be commenting on things like this. Otherwise we&#x27;ll have sock puppets galore muddying the waters.