Hacker News new | comments | show | ask | jobs | submit login

Thanks Matt,

My only concern is my account security (not money).

I found this issue with almost no technical knowledge, so the crazy thing is:

How many back doors should be over there ready to be exploited by spammers?

BTW, a big "report security issue" button on https://www.facebook.com/help/ would certainly help next time.

Thanks again,


It shouldn't take you more than one Google query to find the place to report Facebook security problems.

I don't think it's a good idea to link it from the general support section -- you don't want the security team that is hopefully carefully monitoring this stuff to have to wade through thousands of regular customer service complaints.

It shouldn't... but it could be easier. I've been in the situation before where I wanted to report malware on facebook and I couldn't figure out where to report it.

I agree that you don't want reporting a security issue to supersede the general case of problems, but as things stand it is hard to figure out how to report a real security issue if you don't know about that magic whitehat url.

Googling "facebook security" brings

#1 result: https://www.facebook.com/security

no information on reporting problems there

#2 result: https://www.facebook.com/help/security

this one has a Report Something link... but that doesn't give you options for reporting a security issue, just TOS violations or copyright infringement.

#3 result: https://www.facebook.com/security/app_10442206389

This looks better than the other two, but there is still nothing here about how to report a security issue.

Knowing what to look for, there's a hidden "Take Action >> White Hats" link that will eventually take you to the correct page: https://www.facebook.com/security/app_6009294086

So click that link... and presented with a huge page of names and still no obvious call to action: https://www.facebook.com/whitehat

Oh, it's the Report Vulnerability link in that sidebar that we're been conditioned to ignore in the normal Facebook UI.



Just to recap, in order to find how to submit a security bug report, it took me 15 minutes and I still only found it because I knew the term to look for was "white hat" and not "security".


Perhaps you're right. But "Facebook report a vulnerability" works just fine and that's what I would have tried if I were trying to report a vulnerability.

That's still a few down in the search results.

It looks like the magic search term that brings you right to the report page is: "Facebook vulnerability"


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact