
Bug Bounty Ethics - maximilianburke
https://www.facebook.com/notes/alex-stamos/bug-bounty-ethics/10153799951452929
======
dang
This is the same story as
[https://news.ycombinator.com/item?id=10754194](https://news.ycombinator.com/item?id=10754194),
and the same story should not be both at #1 and #2.

Normally the thing we do with rapidly developing stories, i.e. when a new post
adds significant information, is bury the previous thread and leave the new
one up. But my sense is that people wouldn't prefer that in this case, and
since the current post is already being discussed in (edit: at the top of) the
other thread, we'll leave that one up instead.

~~~
sqren
It seems this post has now been removed from the front page. I understand your
reasons for not wanting to have two similar discussions simultaneously.
However, the two posts paint two different sides of the same story. How are
people going to read this side of the story if it's been hidden?

~~~
dang
The top subthread there links to this post, and the top several subthreads are
substantive defences of its position. Anyone who wants to read the other side
of the story will have little trouble finding it.

------
Mandatum
He phoned the researcher's CEO and subtly threatened legal action. This is
spin at it's finest.

I agree the researcher shouldn't have escalated/pivoted once they had access,
that in itself breaks their ToS for the bug bounty program. However in doing
so the vuln went from "so-so" to "holy shit".

Whether this policy for disabling pivoting is realistic/a bit of a cop-out
from the vendor is arguable. In the real world an attacker wouldn't hesitate,
however FB can't have people crawling around their internal network,
potentially breaking or leaking user information.

The researcher, with all of his experience (incl a 24K bount payout from MS)
should be aware of the above. However less ethically inclined hackers would
have sold this access for $100K+.

EDIT: User ryanlol has made a good point, I thought they included fucking
around within the server to break ToS. But their page does not indicate that.
From the article it says:

> Intentional exfiltration of data is not authorized by our bug bounty program

However the ToS only talks about USER data. AWS S3 keys aren't included we can
assume.

This is a tricky situation.

~~~
ryanlol
> that in itself breaks their ToS for the bug bounty program

Except it doesn't?

~~~
Mandatum
Once RCE is confirmed, any further access from there would break ToS. It's
bullshit, and kind of a cop-out - but it's a trade-off that these companies
have to make. Otherwise we could employ techniques like social engineering to
gain internal access, then start pen-testing from within the network.

~~~
ryanlol
Their ToS does not state this. They do however specifically state that social
engineering attacks are not eligible.

~~~
Mandatum
You're actually correct. I think this situation is a bit more complicated than
it seems at first.

Updated original reply.

------
ryanlol
>At this point, it was reasonable to believe that Wes was operating on behalf
of Synack. His account on our portal mentions Synack as his affiliation, he
has interacted with us using a synack.com email address, and he has written
blog posts that are used by Synack for marketing purposes.

This is pretty questionable, and seems more like a hastily made up excuse. If
Alex wasn't acting with malicious intent then the logical approach would've
been to ask the researcher if he's operating on behalf of synack.

~~~
nikcub
Yes it is complete bullshit. This account is full of minimizing Facebook's
role in this when we all know that contacting the employer was a straight
forward intimidation tactic that is unfortunately all to common in infosec
(because it works).

> His account on our portal mentions Synack as his affiliation

Note 'his account' here is just his Facebook account. So you can rewrite that
line as 'his Facebook account lists him as employed at Synack'

> he has interacted with us using a synack.com email address

That would be a crazy new precedent if we use email addresses as authority

> and he has written blog posts that are used by Synack for marketing
> purposes.

having _written blog posts_ is even crazier.

Were Alex _genuine_ in thinking this was Synack he would have copied Wes on
the email and/or he would have asked him. He straight up went behind his back
and over his head.

Facebook had a bounty program that was very respected and operated well. I
don't understand how they've completely fucked this up and turned it into a
pissing contest.

Just say sorry, forgive the guy for the data download, clarify that it was
against the rules anyway, give the guy $20k, apologize for contacting his
employer and just get it over with.

This way it is just going to drag on for days now and everybody has already
forgotten that it was the reporter who made the first mistake.

I really, really don't get this.

edit: tip to researchers - create a new alias for each bug you report. once
the bug is all done and settled claim it under your real/public name. avoid
blowback, everyone gets it at least once.

------
paddlepop
I'm struggling to comprehend those in support of the researcher? As a security
researcher myself, this is just something you do not do. There was nothing
more to be gained after he had those API keys - for any other researcher its
game over, you won. As far as I'm concerned anything that happens to you after
that point is of your own making

------
minimaxir
> Wes was not happy with the amount we offered him

Wait, how does that work? Are there negotiations involved in Bug Bounties? But
there's no leverage once the bug has been exposed!

~~~
fredgrott
wait they offered him money and when he did not bow down to facebook they
harass him through his employer? Talk about ethical lapse big time

~~~
andylei
they offered him money because it is a bug bounty program

------
kecks
The discussion on the researcher's blog post:

[https://news.ycombinator.com/item?id=10754194](https://news.ycombinator.com/item?id=10754194)

------
onestone
"the bug, which is less critical than several other public reports that we
have rewarded and celebrated"

The bug lead to full access to critical data, and possibly to full control of
their servers. It's interesting what these other "more critical" bugs were.

"Not very original" != "not critical". Alex seems to imply these are
equivalent.

------
mcphage
I don't quite get Facebook's position here. This guy demonstrated that all of
Instagram's data is publicly accessible. By jerking him around, they are
resting a _lot_ of money on their belief that he's not a black hat hacker. If
they were wrong, they're looking at the mother of all data leaks. Would they
want to tread a least _somewhat_ gently with him, instead of treating him like
he _is_ black hat? I mean, luckily for them he's not, but what if they were
wrong?

------
kderbe
How come this article has fallen off the front page so quickly? It's on page 7
now, even with nearly 100 points in under an hour's time.

~~~
dang
[https://news.ycombinator.com/item?id=10755361](https://news.ycombinator.com/item?id=10755361)

------
staunch
He's spinning what happened, now that his actions are public. It's not like
the reporter wasn't responding to his emails. Alex Stamos _only_ called the
guy's boss to intimidate, bully, and threaten him with legal action. He admits
what he did but thinks it wasn't wrong and won't apologize. His sense of
ethics seem to be one-sided.

Someone needs to call Zuckerberg to let him know about the aggressive and
unethical behavior of _his_ employee.

