

Facebook bug hunter paid $10K by community, not company - geektips
http://www.zdnet.com/facebook-bug-hunter-paid-10k-by-community-not-company-7000019652/

======
aroch
I'm happy for the guy and all, but Facebook is doing the right thing by not
paying the bounty. They specifically bar messing with real user data, while
they could have handled the original report better that's still not
justification. If you bend the rule once, everyone will want you to bend the
rule "just one more time" for them.

~~~
fixxer
I haven't been paying close attention to this, so forgive the ignorance if I'm
wrong: didn't he try to use the correct channels, but was turned away?

~~~
yebyen
The big idea as I understand it is:

He proved the bug on a live account instead of one of the prescribed test
accounts

He reported it as "this is a bug" not as "this is the procedure to use in
order to reproduce the bug"

He demonstrated critical inability to report the steps required to reproduce
the bug.

It must get to the point where this money faucet receives hundreds of people
submitting "bugs" where their friend has really left their account logged in
and it's been exploited via social engineering, or some other "not a bug", so
bugs are closed when they're submitted with not enough information.

I understand and subscribe to this strategy myself.

~~~
thezilch
You missed the part where FB -- admit to and are fixing -- lack any process to
deal with those that are either not aware or don't understand the process. At
no point do they instruct the reporter that it'd be helpful to provide more
steps and that he should not be using live accounts to demonstrate the PoC.
Nay, they merely shrugged him off and stated his actions were "not a bug."

~~~
yebyen
You know, I went looking for help on something this morning (why does ntop
crash so much?) and at first all I could find was a post asking a similar
question, and a reply about how to ask the question better.

The GP replied (paraphrased) "there are a lot of posts on this board asking
for help and 95% of the replies are about how to ask the question better. You
would do well to try and read between the lines a little bit, just try
interpreting and answering some questions instead of just posting all about
how poorly the questions are asked."

The point is, that guy wasn't offering money. He was supporting free software.
I agree it's easy to make a blanket response for posts not providing enough
information, but if they can't fill out the form correctly enough for the
reviewer to duplicate the result, why should they get the money?

Just to close the loop, I did find another post eventually where the author
explains he "is aware" that ntop crashes frequently when it's configured to
monitor multiple interfaces, and you should use the SVN builds since they are
more robust. The bug still exists in FreeBSD and I update my ports tree every
day.

Searching for "ntop quits" again to put some dates on these posts, I see the
complaint was in 2003 and the post addressing my issue was in 2011. I guess it
still hasn't been fixed, but the software is still well-known. Anecdotes are
like...

------
yogo
Not a bad pay day for a critical bug. Forget the black market, hypothetically
speaking I wonder how much an ad agency would have paid for something like
this if they can use/abuse it for a week before fb catching on (assuming the
agency is unscrupulous).

~~~
Raphmedia
Imagine... being able to post ads on anyone's timeline!

Now THAT is something you could make profit with!

------
diminoten
Did anyone here donate to this guy? If so, can you explain why you did it?

~~~
dspillett
I didn't, but I suppose many have facebook accounts and would prefer people
like him keep giving information about exploits to facebook instead of selling
the information to the highest bidder as a "zero day" or just leaving it
unfixed so someone less scrupulous can find it and use/sell it for nefarious
means.

It could also be people who like to see facebook and/or its figure head with
egg on face, who want to encourage this fellow (and others) to mess with
Zuckerberg's profile again for that entertainment value.

~~~
alttag
I also didn't, but some of the articles on the subject paint "the guy" as a
down-on-his-luck hacker in developing country and ancient computer hardware
trying to do the right thing. It's presented as almost a charity donation or a
scholarship to someone in less than affluent circumstances.

