
Recent reports on our whitehat program - Lightning
https://www.facebook.com/note.php?note_id=10151538365500766
======
ck2
Facebook, at least send the guy a new laptop.

You don't even have to tell anyone you did it if you are worried about
"rewarding non-preferred behavior".

Mute the commercial and watch this video to meet this guy and realize he was
trying to help and you were being idiots:

[http://www.cnn.com/2013/08/19/tech/social-
media/zuckerberg-f...](http://www.cnn.com/2013/08/19/tech/social-
media/zuckerberg-facebook-hack/)

He hasn't worked in two years and his laptop is missing 5 keys.

~~~
spicyj
Maybe they did. If they followed your advice we'd never know.

------
mafro
I am the only person out there that agrees he shouldn't receive a bounty?!

Facebook's stance is akin to "we don't negotiate with terrorists". Although
obviously this wasn't malicious (or "terrorism"); just a case of a foolish
newbie who failed to follow the rules.

~~~
cheald
I guess next time he should just sell the exploit on the black market then.

~~~
borplk
If he's the kind who would sell the exploit next time, Facebook isn't
interested in rewarding him anyways.

Bounty programs are not there to create a more appealing market and out-bid
the black hat hackers.

~~~
Blahah
That's exactly what they're there for. They encourage and reward a white-hat
culture.

~~~
borplk
Bounty programs do not attempt to compete with black hat markets or outbid
black market rates.

The purpose of bounty is to encourage white hat hackers to challenge one
specific application instead of millions of other applications out there that
the white hat hacker could spend his/her time on.

So it's saying "Hey...instead of working on that random application why don't
you try to hack us because hey you could earn some money too".

It's assumed that the person is a white hat hacker who would not sell the bug
in black market anyways, even if there was no bounty.

------
jwr
This is wrong. The reporting guy clearly had white-hat intent and made an
effort to alert Facebook to a real security problem. Because of
miscommunication and some poor decisions, a message was posted to another
user's wall. There was no malicious intent, this was done as a (admiteddly
desperate) part of a conversation.

Now is the time for both sides to make their apologies and for Facebook to
reward the hacker.

------
tptacek
They're not going to pay him. To do so would be legally risky, and set a
precedent that could be helpful to _actual_ malicious attackers in civil
litigation. "Don't use accounts without accountholder consent" is the single
most important term in a bug bounty; if you don't honor it, you're not
participating in the bug bounty, but rather doing something else.

~~~
ronaldx
I don't see why paying him would necessarily have legal consequence: Facebook
could make a discretionary payment while making it clear it's outside the
scope of the bug bounty terms (indeed, by stating that he was doing something
else).

~~~
tedunangst
Should (will) the next person to post on MZ's wall expect a "discretionary
payment" for "doing something else"?

------
new299
They should pay the guy, not because it's the "right" thing to do, but because
it maximises future bug reporting.

If people see that facebook back out of paying for legitimate, reported bugs,
they'll seek other options to monetize them.

------
Radle
After reading the messages between the white hat and Facebook, I do believe it
is the right decision do not pay him.

In his report he lacked the communication skills necessarily to make a useful
bug report, which after my opinion caused the problem.

~~~
ronaldx
> lacked the communication skills necessarily to make a useful bug report

If anything, he had great communication skills. He overcame a non-native
language barrier, while being conversationally blocked, and still made his
point clearly.

Besides, are communication skills the important skill here? I would say, not.

Facebook do not pay white hat hackers at a level appropriate to their skill
and work ($1m total? _that 's all?!_) and now it's also clear they are looking
for technicalities to avoid payment.

~~~
kevcampb
$500 for a bug report. that'll be cheaper than a day's work for one of their
developers

------
thezilch
This is absolutely the right response; I think it's not a stretch that a
security report might be provided by a "newcomer" or potentially even a
complete layman.

------
jcutrell
It makes way more sense to offer some sort of sandbox to prove bugs to filter
this kind of thing (instead of having less-than-stellar bug responders like
the "this is not a bug" guy).

If you could create your own "non-friend" user mock object and demonstrate the
bug, no one has to parse your bad language. He proved the bug through a live
test - doesn't it make sense to provide this kind of testing ground to
whitehats?

I'm not a hacker, just a plain old developer. But in my world, when I want to
explain something, I do it with test-case code and live examples, not through
long-winded emails or bug reports.

~~~
jack-r-abbit
The whitehat program page clearly spells out that you should use test accounts
and then links you to a place to view/create test accounts:
[https://www.facebook.com/whitehat/accounts/](https://www.facebook.com/whitehat/accounts/)

------
Sami_Lehtinen
I guess he would have made more money by selling the exploit to someone with
tons of fake accounts and botnet. Then they would have used it to flood walls
with malware and advertising links and generic spam.

------
zwdr
Facebook can't possibly pay him. Exploiting a bug on the live site is not
something they can reward, even if they want to. It would set the wrong kind
of precedent, signaling that it's OK to do whatever to demo an exploit on
Facebook.

That said, facebook will surely find some deal so they end up with positive
PR.

------
arnehormann
This could be soooo easy. Just provide a way to create a temporary account for
tests that is not "a real user" and offer it on request. Creating and deleting
these should not be a problem - if a report is false, the account won't change
anyway.

~~~
gregd
Facebook already has the ability to create test accounts:
[https://www.facebook.com/whitehat/accounts/](https://www.facebook.com/whitehat/accounts/)

~~~
arnehormann
If these accounts were internally tagged as security test accounts and were
created automatically and a security researcher had no control over them
(think honeypots), Facebook could monitor changes and see if anything on these
accounts changes that should not. As the security researcher does not control
the account unless an attack is successful, Facebook can grade attacks without
human intervention. I can't see anything suggesting they have such a system in
place.

