How I got a $3,500 USD Facebook Bug Bounty

I submitted a report to facebook about privacy setting circumvention. Didn't receive a response. Didn't receive a bounty. Facebook DID fix the bug after some months.<p>Feel a bit cheated that a billion dollar company couldn't take the time to respond... if I had the time I'd follow up with them.

Whenever people teaching others about security mention XSS, I've always wondered does it really even happen in the real world? I'm sure everybody escapes their input.<p>Turns out there's a reason XSS is so often mentioned. Even Dropbox and Facebook fell prey to it (although in this case the input wasn't from the web, but rather from their desktop application/service partner).

Props to Facebook for being so responsible about fixing this bug. After seeing so many blog posts about companies not responding to emails from whitehats finding XSS vulnerabilities (<a href="http://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html" rel="nofollow">http://www.troyhunt.com/2012/08/why-xss-is-serious-business-...</a>), it's comforting to see someone take such reports seriously.

I bet Blackhat Vulnerability Program would've payed lot more.

lol.. I found a bug in paypal which allowed me to transfer funds from one account to another, even though this was prohibited.<p>I got nothing. Maybe next time I'll just post this stuff for random people on twitter to find

Wauw, so all that happens if you save dropboxs ass is that you get a special mention on their special page that very few people know about?<p>Why even bother to tell them then?

wait facebook has like millions of bugs -.- though maybe UI glitches aren't considered bugs

I submitted an error (and a solution) in their open graph docs that caused a bug if anybody copy/pasted the code from their site. The error was fixed within hours, however I never got any money or even an email :(

BAM!