The person who had problems with Facebook didn't "pivot laterally".
He popped a shell, dumped and banked directories from the server, held them secretly, and used their contents more than a month after reporting the bug to Facebook as a cudgel in a dispute over a bounty.
(b) Please don't accuse me of commenting in bad faith. I don't care whether you use a calm tone of voice or not. It's especially weird to be accused of being in the tank for someone by an anonymous account.
(c) If I'm really incorrect, you should make an actual argument, rather than a drive-by snipe.
I humbly submit for your consideration that my assumption of you making comments in bad faith is not unlike yours and Alex's assumptions of bad faith on the part of the researcher, and perhaps we could all improve a bit here.
Snipe aside (which was fired at facebook, not you), I am genuinely confused about their ambiguous policy, and it looks like other commenters are too.
I don't think Wes acted in good faith in that one but neither did Facebook in anything privacy-related. Who cares about fundamental ethics given parties involved. I will say his actions were nearly warranted if Facebook was promising huge bounties for something that could cause them big problems which that case seemed to be from that thread's comments. I don't know for sure.
Far as escalation or downloading data, I found that to be the only way to get taken seriously by management. Had to be done non-disruptively with trusted personnel, protection of that data (eg RAMdrives, crypto), and assurance it was gone after. Rarely even read it as filenames & credentials were enough. Nothing like showing marketing plans or private emails to execs with a contract that's vague enough for it to be legal to get security taken seriously. Responsible disclosure debates of 90's showed us that letting vendor decide almost always resulted in them downplaying risk saying it "hypothetically" could do something but probably overstated. People playing that game usually get bounties that yearly add up to less than a median IT person.
Rather not play that game. If the company bullshits, do what you can within their legal framework to call them on it and provably without doing any damage. If they didn't in that case, then he went way overboard and looks like he's running an extortion racket. I think key parts of the story aren't published and I can't be sure. Good news is Facebook and Wes both of don't mean shit to me. Moving on. Appreciate the entertainment and different perspectives, though. :)