Hacker News new | past | comments | ask | show | jobs | submit login

OK - so I work on a security team at Facebook and sometimes help with reviewing Whitehat reports. To be clear, we fixed this bug on Thursday. The OP is correct that we should have asked for additional repro instructions after his initial report. Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have - violating our ToS and responsible disclosure policy), saying that "the bug allow facebook users to share links to other facebook users". Had he included the video initially, we would have caught this much more quickly.

For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.

However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.

As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners." Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they're found and demonstrated within these guidelines.

"As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs."

I just looked at it, then switched Facebook to Arabic and the TOS is magically still in English (edit - and right aligned really badly as the page evidently expects arabic). If you demand that the TOS is followed by people who do not have English as a first language, try offering a translation.

This guy has done you all a service. The chances are that he may not have been able to clearly read the TOS that you wish him to abide by. He should get paid.

edit - hmm, was about to check the situation with other languages, however now all the buttons are in arabic so I stopped bothering after the fourth random page.

Great point and I hope the FB security team take notice of your post. Whether or not this guy gets paid, I certainly hope they spend the money to get proper translation of their policies in every language they operate in.

They can't pay people to violate their terms of use or to try to violate the privacy of their users. Even if they wanted to, they're probably not allowed to do that.

So if a security bug was discovered using methods that are against the TOS then the information about the bug is worthless for them and it's better to sold it elsewhere.

The whitehat page explicitly says that you must “not interact with other accounts without the consent of their owners” in order to qualify for the bounty. So yes, apparently Facebook can deny payment and suspend your account if they can reasonably suspect that you violated someone's privacy during bug discovery.

However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.

An argument could be made it wasn't so much the discovery of the bug but rather the manner of reporting it that was a ToS violation.

The payment would ofcourse be for discovering the bug.

Good point.

Lesson learned: Find a security hole, report it to Facebook, and they don't respond after two attempts? Sell it as a zero day.

Incentives matter. And there is always money to be had somewhere else.

Well according to Facebook, "this is not a bug". Which means the feature works as intended. If he is using Facebook as it is intended, then how can he be breaking the TOS?

When an employee whose job it is to evaluate security issues says "this is not a bug", that determination carries the force of law the same way as if it appeared in the TOS. You cannot rely on people to follow some nebulous "spirit of the TOS" when meanwhile your employees have already made a contrary specific determination for how it applies to this particular bug.

They wouldn't paying him to violate the terms ... and it's not like Facebook has any problem with changing a user's privacy settings without permission - except I guess we probably somewhere in the agreements agreed to allow that, or not hold them accountable - probably both..

hahaha funny point

Creating a test account is also kind of a violation of the TOS anyway:

"You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.

You will not create more than one personal account."

They specifically allow accounts to be created for whitehat purposes at https://www.facebook.com/whitehat/accounts/

Interestingly, from that page:

"Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing."


It's translated. I believe it requires you to be in a local to get this page to display automatically. It certainly exists for people creating accounts in arabic, and absolutely includes the relevant lines.

Does that page include the whitehat programme TOS, or is it just the general TOS?

Does it concern you that ultimately the way the OP got your attention is by posting to MZ's account? Are you sure you'd have ever "discovered" it if he hadn't? I agree that the OP didn't do a great job, but if he's submitting a vulnerability that you really want to hear about and you're ignoring him because of some miscommunication and you ding him for doing the one thing that gets your attention, you're creating an environment where you're less likely to find out about these things.

I think there's a spectrum between letting whitehats do anything (including violating privacy, hurting real user accounts, etc) vs. suing everyone who changes a GET param somewhere. Having a whitehat program with (IMO reasonable) guidelines around not impacting unsuspecting real users seems to me like a good balance and is fairly close to the first part of the spectrum.

Obviously I don't love the end outcome, and this would have gone better for all parties if he had used a test account and included some kind of repro instructions (like that video) in the initial report.

>this would have gone better for all parties if he had used a test account and included some kind of repro instructions

Clearly, but that's not really something you can control. From your perspective, the other side of the tradeoff with "hurting real user accounts" is "leaving open a huge security hole", not "being mean to whitehats when they screw up". I don't disagree that the guidelines seem quite reasonable prima facie and perfectly fair to to the whitehat in some moral sense, but it's unclear if they're actually working. It boils down to, if you had to choose between finding out about this security hole the way you did or not find out about it at all, which would you choose? How many not-quite-so-aggressive versions of this guy are out there, and how many holes are you leaving on the table? Edited to add: If an important way of finding vulnerabilities is people breaking the rules, then the rules suck, regardless of their intrinsic fairness.

It could well be that keeping not-great-communicator/guideline-follower whitehats from reporting some number of bugs through questionable means is actually worth those flaws sticking around. Of course I don't see the daily flow of vulnerability reports to FB (or all the ones that don't ever get reported), so I don't know. But it sounds like a harder question than you make it out to be.

Again: how exactly do you propose that they write a policy that compensates people for violating the security of their users? Not the security of Facebook, but the integrity of their actual users.

We all know this person had good intentions. But good intentions aren't always enough. Facebook doesn't appear to be freaking out at him. They just can't pay him for having demonstrated a vulnerability by hacking someone's account.

Firstly, no idea how you can conclude he hacked an account. A bit strong of language there? Second, does reason not come into play here? You don't have to write a policy to compensate people for violating privacy - however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.

> Firstly, no idea how you can conclude he hacked an account. A bit strong of language there?

This is like... the textbook definition of a hack.

> however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.

I love that this statement is downthread of a Facebook engineer's comment that states he considers the guidelines reasonable. It's as if you're just a drone following written orders without the ability to make compromises.

>> Firstly, no idea how you can conclude he hacked an account. A bit strong of language there?

>This is like... the textbook definition of a hack.

Perhaps of "hacking FB", but he didn't "hack an account".

I don't see what the problems are for FB here. They have a moral obligation to reward him for reporting this bug, especially since their ToS are apparently not available in Arabic. Claiming that he showed any sort of malicious/inappropriate behavior is a really bad tactic to save some money when they clearly handled this very badly from the start, while his intentions were obviously good.

All they are achieving by reacting this way (including the apologets) is that next time, such people will just sell their exploits on the blackhat market.

I don't think has anything to do with saving money. It really seems like a case of trying to take human judgment out of the equation. Strict adherence to rules is easy for bean-counters to push but frequently problematic for dealing with real world situations because rules are never perfect.

Facebook really doesn't need to save $10k by not paying this guy. It's about upholding the terms and not setting a precedent.

The blackhat market for Facebook exploits is not huge because the product is centrally controlled and can be patched at any time. It's not like 0-days for products with individual installations that aren't centrally controlled with forced updates - those are clearly valuable.

What incentive does the engineer have to look deeper, and more holistically at the situation? None, especially if he doesn't want to create friction within the company - he can just sit comfortably having followed written protocol. A human with compassion can make compromises, someone following orders can't.

In as much as he posted on another account's timeline without permission, he "hacked" it in the "unauthorized access" sense of hacked.

re: reason; where does his reason come into play? It does not seem reasonable to post to M.Z.'s timeline, I'd guess he did that because he was P.O.ed at being dis'ed by the support people.

In the bureaucratic theory I am aware, if you have rules (policies, proceudres, standards etc.) you need to apply them consistently. Sometimes the rule will allow for discretion, sometimes not. I don't see room for discretion here.

I believe you're comprehending his actions wrongly. He stated before he'd be able to post even onto M.Z.'s timeline, to announce that this isn't a narrow scope issue, and that it was to gain attention. I see no malicious or angered. If of course M.Z. all of a sudden sees some guy, who isn't a friend, posting to his wall - you think he might actually look into it, right?

Yeah, rules that don't take into account reason are inhumane. Similarly why we don't just give everyone 10 years in prison because they committed a crime - you take into account all aspects - and not just apply "oh but he committed a crime, so this is the result."

Rules that are not applied consistently are arbitary.

No one said anything about a crime. Denial of the bounty is not brutal.

Not sure what you mean by "again".

> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.

I don't see why that is. They already provide the following caveat:

> When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.[1]

So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either).

I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right?

[1] https://www.facebook.com/whitehat

Immediately following that quote: Do not interact with other accounts without the consent of their owners.

He didn't try to reproduce the bug with a test account though. If he had and it hadn't worked, the fact that he then used a real account would've been acceptable.

"Can't pay him" sounds like bureaucracy BS. I'd argue that it's in their best interest to find a way to pay him. Why make people jump through hoops to report an exploit in your product?

However, it also sounds to me like an opportunity for a bug / exploit reporting proxy business that validates, reproduces, and polishes reports in bulk. You most certainly could extract a much higher bounty per report.

"Can't pay him" doesn't sound like bureaucracy BS, they don't pay him because he violated the TOS, it's on purpose. We could argue this is stupid and the TOS should be changed, but I can understand why they specify that in the process of reporting a bug you use a test account. Violating a real user privacy to report a bug isn't the proper way to report a bug. If they made an exception with this guy then they would have to make more exceptions and possibly set a bad precedent.

I disagree. I don't think that making a case by case assessment is opening the floodgates (that argument is exactly what I would call bureaucracy BS). For an exploit of this severity I would expect them to be grateful to someone who was obviously not being malicious regardless of some silly policy.

How would you feel if he found an exploit that allowed him to make all your private messages public and proceeded to report this by leaking your inbox?

I'm no fan of Facebook, but even I can see why they can't ever encourage such irresponsible behaviour.

As stated, a case by case assessment would most definitely capture this fictional scenario appropriately.

Well, we don't need to assess fictional scenarios, we can take a look at what this hacker has achieved.

1) Lots and lots of negative press. (we wouldn't talk about this if this wasn't true)

2) Embarassing the CEO of a company and thereby also hurting the reputation of his company

3) And on top of that he breached his privacy

And you still think that they treated him too harsh by withholding payment? I mean couldn't he have waited a few more days or reopen the ticket - or maybe just use Facebooks test accounts? It's not like he waited for ages, he brought this bug to attention last friday.

But yeah, waiting a whole weekend was probably too much for him to take, so he obviously had to post on MZs wall.

It would be great if they said "We can't pay him" publicly then just cut him a cheque privately with the understanding that he not tell anyone he got paid. This way, they can go on with the TOS saying you can't affect real users with your hacks, and the dude that blew the whistle gets the reward.

The bug bounty won't cause others to report bugs if they pay in secret.

> how exactly do you propose that they write a policy that compensates people for violating the security of their users? Not the security of Facebook, but the integrity of their actual users.

In the appropriate language: https://news.ycombinator.com/item?id=6231153

Otherwise, you should make some good faith effort to not assume devious intentions on someone making a good faith effort to report problems.

> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.

Technically, according to the security person at Facebook, it wasn't a bug. When he did the same thing again on Mark Z's account, it suddenly became hacking. Yeah, he didn't follow a procedure that wasn't available to him in his native language, but he made a good faith attempt to report the bug, and did so several times.

> But good intentions aren't always enough.

Several attempts to contact them despite being told the actions he was taken was not a bug despite clearly explaining why it was?

Slightly off topic, but it would be nice if the test accounts really worked all the time. I've seen a number of cases where entire sections of the site (e.g. http://developers.facebook.com) that error out (return 500's) when using whitehat test account's auth info. This leaves us with little choice but to use real accounts in some cases.

> Obviously I don't love the end outcome,

If only you could do something about it to make the end outcome more ideal.

But a member of your team was in control of the outcome and messed up. This guy really wanted to make sure that you guys saw the issue in spite of a member of your team screwing up.

You should be rewarding him, not discouraging him.

I know arguing with someone as stubborn as you is useless, but what can I say?

I hope that the fb'er who replied to him saying "this is not a bug" has been retrained to use the words "we are unable to reproduce this issue, please provide further information or perhaps a video demonstrating the bug".

So no one reasonable is allowed to actually make a decision eh? Must be shitty working at Facebook if decisions don't have a human-compassionate influence to them.

Is creating test accounts even allowed by the Facebook ToS?

I assume he means whitehat test accounts which are created in the whitehat console, and can only interact with other whitehat accounts

He posted to a real account before posting on Zuckerbergs account. I assume that is what they are dinging him for.

It's plain simple corporativism. The guy escalated the issue to their boss and they are not happy. Since this is probably a failure at multiple levels, they will fight back. It really sucks but it's all very unexpected.

Pay the man.

He stumbled around a bit trying to work out how to help, but he brought a flaw to your attention in what he thought was a polite way. If unleashed, this bug could've been used to wreak havoc on Facebook and damage the company's reputation. $500 is the very least FB should be paying.

Exactly, no harm was intended or done. Somebody posting on your wall doesn't even really impinge on your privacy (Hell, for all intents and purposes Facebook do it for profit). Whatever reward, perhaps reasonably reduced, they pay this guy will be cheaper than any bitterness earned from sitting behind a wall of pedantry with big fat righteous grins on their faces.

If they bothered to look at his profile (it's public), they'd see he looks to be a great fan and tinkerer on the Facebook platform.

after being treated this way, i doubt this man (probably everyone who read this) will ever report bugs to facebook anymore.

Agreed, Facebook will not be safe anymore. All these white hackers will sell their exploit to black hackers.

i said that many times , agreed

You're doing good work. Don't be discouraged. You clearly have some talent, and you can do positive good with it. Large companies are wedded to their rules, terms, and systems. As you work more on these sort of things, the process will get easier. As you can see, there are many supportive people here.

if this bug, does what i think it does, this man if met with certain group of people, had the chance to make millions out of this bug.

Is it even lawful for them to pay people that knowingly invade other people's accounts?

Why wouldn't it be? At worst, wouldn't facebook be the aggrieved party, and not another user of facebook?

Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.

If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?

The bank example's a tad off when trying to draw a correlation to this particular case. I do agree with your sentiment though. I would reword it and say: if someone pointed out to a stubborn bank manager who refused to listen that the vault and my h of the bank's money was easily accessible, by taking out afew dollars from the bank & handing it to him. The a very embarrassed manager would be right to reward the person for showing the institutions flaw and not robbing them blind.

They might even throw a little fanfare his/her way to send a message that the bank appreciates being told and not robbed blind. (Especially given that they're a "community bank" built by pioneers and not a monolithic marble statue institution :-P)

Posting something on someones wall isn't so much invading as it is leaving a sticky note on their door. By that metric UPS invades peoples homes quite regularly when they fail to deliver a package. Had he actually accessed any non-public details of a users account that might be one thing, but the only data he was able to view was the post he had created himself. In short, it was his data, from his account, it just happened to be located on someone else's page. Honestly it's not even that bad of a vulnerability, more like a mild nuisance.

They will pay for reporting of the bug. What's with the apparently intentionally inaccurate description of his actions? All he did was post to someone's wall, that's hardly "invading someone's account".

He posted something to them - he didn't access them.

I chose my words carefully.

Invading means to enter, and he didn't enter anything. He posted a link through Facebook's buggy system. The end.

Yeah this sounds like a super productive discussion.

Especially when you start using argument tactics like belittling.

You're right; I am officially derisive of this discussion. You know I'm not making an argument by trying to characterize this person's actions as malicious, but you keep raising that idea as an issue, because you actively don't want to understand what's happening in this situation, but would prefer instead to demonize Facebook's security team.

Demonize the security team? I never implied that anywhere - please don't "put words in my mouth."

I think you are here: https://news.ycombinator.com/item?id=6231466 . And please don't bother defending, just dropping by.

K. I won't point out to you why you're mistaken.

You seem to be making an awful lot of excuses to not just pay someone who brought to light a critical exploit. Do you work on the security team or are you a lawyer (maybe with a panicking accountant looking over your shoulder) trying to find fine print reasons say, "Aha! We can save money to our bottom line in this instance!" ? Do you know how silly it looks for you to make these excuses?

This is pretty silly. Facebook obviously doesn't care about the dollars here; if anything, I'd imagine they want to be paying more bounties.

Oh man! If only they could fix the situation!

You're willfully ignoring what the situation actually is.

The situation is the guy in good faith tried to give them repro steps and report a critical bug. Technically he fucked up and didn't do it on a white hat account. No harm was intended or done. They are denying him his reward based on a technicality. If that FB employee is not some lawyer trying to cover their asses, then he should want to pay this person and make it happen via some exception. If they truly didn't care about the money and wanted to pay more bounties they would do this. There is no danger of ruining the integrity of the ToS as another replier suggested. In future incidents they are free to not make an exception. In this case, it was all in good faith and the guy didn't know the proper procedure.

They're not "denying him the reward". He demonstrated the vulnerability on someone's actual account. They can't pay people to fuck with other people's accounts. That's not what bug bounties are about. Only on a message board is this hard to understand.

A very specific message board, it seems like. /r/netsec is having no trouble understanding it.

Which leads me to believe most people commenting are not doing so with an actual understanding of the situation, and are instead viewing this solely as Big Bad Facebook vs innocent hacker.

"Paying people to fuck with people's accounts" is a pretty dishonest way to frame this.

No, you just refuse to think about the larger picture. I went out of my way to say that this person wasn't deliberately harming anyone.

You're acting as if there's no precedent implicated in Facebook learning of someone violating both their normal ToS and the terms of their bug bounty program by compromising someone else's account, and then paying them a reward.

You're wrong about that.

I went out of my way to say that this person wasn't deliberately harming anyone.

Saying someone fucked with another person's account implies otherwise.

He didn't f* up Zuck's account. Just making a wall post on some account doesn't f* that account in any way.

It's still a violation of privacy though, and these are viewed as serious by the ToS.

It's understandable it's just not the right mentality towards someone that hacks for profit and bug bounties generally target this ($500 though is hilarious). Effort and time is supposed to be directly related to payout, if it takes more effort and time for less of a payout then the bug reporting is broken.

I remember a comment by you saying that most exploits are not that valuable. How valuable would this one have been?

It looks like preserving the integrity of their ToS to me. If you believe it is because of $500, you are a total idiot and I will not talk to you.

If you think good hackers report security bugs for $500, I am tempted to call you a total idiot too (though I will not).

Consider what motivates people more deeply.

That is a vague reply with no apparent relevance to anything I said except the amount $500 which was not to be taken literally. My point was that facebook isn't doing this to save money and believing so is idiotic.

My point is that people asking for a monetary reward might indirectly be asking for recognition, not the money per se.

Thinking otherwise might be idiotic too, but that's besides the point.

You apologise and pay the guy. Then you write it up as a public case study in very simple English. At each step point out what he should have done. That means the next people know what to do, and everything comes out positively from this.

At the moment the loud and clear message is that there are far more welcome places than Facebook to report found issues.

Is your whitehat page translated to other languges? If I select a different language, only the login and footers are translated. I don't think you can reasonably assume that non-English speakers can understand the entirely English whitehat page.

Additionally, if you're not logged-in, then the test accounts page doesn't work. It redirects to the same page as facebook.com/whitehat, with no notification that the test accounts page even exists.

You should really pay him.

Why didn't your coworkers reply back asking for more info? This is like the first thing security engineers should do. Look how serious Security Engineers at Microsoft reply back, http://blogs.msdn.com/b/oldnewthing/archive/2011/12/15/10247...

The right thing to do is add Khalil to the white hat list, and pay him what he deserves. He doesn't speak or read English as you have noticed. Your TOS for white hat page is NOT even translatable.

He used real accounts because your team did not care what he had to say. What do you think he should have done? Sell it to the black market?

You know, I agree with everything you have said.

But couldn't your team be a bit grateful? Though he did post to Zuck's account, he didn't sell the vulnerability as a zero day on the black market, no?

A cheap insurance policy, making the payout, cultivating trust with white hats who are nonetheless decidedly a bit bone headed (if not well meaning).

I agree with you that facebook should not pay for the bug since he violated the policy, instead, facebook can consider offering him an interview opportunity and sponsor him a trip to facebook.

> many of the reports we get are nonsense or misguided

Alright, here's a preemptive question for you then.

Should a logged in user be able to retrieve the email addresses of an arbitrary friend, regardless of their contact privacy setting being set to "only me"?

Hmm, wanna report at facebook.com/whitehat with more details? Please include repro instructions :).

Since when did repo stand for "reproduction" in sofware engineering term? Never heard it around here. East coast.

The abbreviation he used was actually "repro", which seems like something that would likely be shortened in an environment where you say it a lot.

Repro, with an r. I've heard it more the last, say, five years than previously. Also East Coast.

Thanks also that was a typo. First time I have ever heard it was in these comments. We don't ever use it where I work and I deal with customer reported bugs every day.

It's possible I first heard in the OSS world and imported it to my jobs, but I'm not sure.

Since forever.

Will do.

This is crap and you're embarrassing yourself and Facebook.

You all are lucky that people are sharing this stuff with you guys for $500 instead of on the black market for much more. You're also lucky that people are doing the job that highly-paid Facebook engineers should have done. And if I read between the lines of your post, you and your team think that you're pretty clever.

The right thing to do is to cut this guy a check for $500 and keep your mouth shut, before people stop reporting security bugs to you.

I know I'm already discouraged--if I find anything, the last thing I want to deal with is a mediocre engineer telling me I didn't fill out the TPS form the right way.

just pay the guy, it's $4k.

the language barriers are enough to justify any mistakes made in conforming precisely with the t&cs. he didn't abuse the hack. he reported it to you. pay him tbh.

Although, Mr. Shreateh did not follow the Facebook TOC to the letter, as written by Facebook's legal team, he did operate in good faith, according to the Yahoo article, quoted below. Whether or not Facebook legally owes Mr. Shreateh $500 + change or not, the potential PR costs and being "cheap" image is one I would hope does not attach itself to Facebook - leave that to Walmart.

"So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people's Walls, he reported it to Facebook.

That bug is a spammer's dream. To prove his bug was real, Shreateh posted something to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg.

He then contacted Facebook's security team with the proof that his bug was real, he explained in a lengthy blog post. Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that Shreateh shared.

Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall."

Bug profit flowchart:

You discover a bug on FB just by being a normal user not a "whitehat" security user:

* You discovered it by doing "something" to someone else account --> FB will not pay : SELL on black market.

* You think the bug isn't really a bug but then it happens again --> FB will not pay : SELL on black market.

* You have a life that you don't want to waste with reading through legalese and filling out forms. FB says it is not a bug. Maybe they are right? You don't want to spend the time arguing about it over email --> SELL on black market

* You are not a lawyer, or do not do security testing full-time on FB. Or you are a normal user who has not kept on the FB ToS now that we are on the 100 billionth version --> You probably did something wrong. --> FB will not pay : SELL on black market.

* You are a US citizen and do not want to be charged with CFAA violations as a hacker --> SELL on black market.


FB might give you some money.

How didn't he make a good faith effort? It seems that a language barrier may be part of the issue, no?

So can I report the same bug under the guidelines and get paid for it, or did you rob him and patch it already? Just pay the man, as a programmer a simple bug like this is a huge no no in the engineers part, and not rewarding the user for his conduct is plain selfish of the company.

dude you are talking like a robot , how do you expect a hacker to behave upon your rules and follow your silly (tos) ... really unbelievable.

Your response is incredibly dumb.

hahahah anther one

Facebook is wrong on this issue. OP made a good faith effort to report the problem. When this failed, he demonstrated the bug in a non-destructive way. He did not post maliciously, nor did he use the bug to obtain confidential information. When the channel set up by Facebook failed, he took the problem to the CEO. I will post this issue to various social media outlets until the OP is fairly compensated. Facebook's actions here are deplorable and discourage users' efforts to report bugs.

I worked in FB before so I understand that it's kind impossible to track all the bugs/reports received without clear information provided. However, you can easily tell this guy is humble and not really trying to show off, it's the one who simple wrote "this is not a bug", instead of asking for more information, putting him to actually hack Mark's page.

For a better PR, pay him and use this case as an example to teach the future whitehats. FB has low esteem for a reason.

Exploiting bugs to impact real users is not acceptable behavior for a white hat

It's pretty arrogant of Facebook to redefine the meaning of white hat don't you think? Posting to the Facebook founders page to let them know of a security vulnerability is not malicious, plain and simply, not. Trying to steer the embarrassment of your failings because this guy didn't read your TOS is incredibly hypocritical.

Using a bug to post to said founder's page against his will is definitely not white hat behaviour. Period.

And you base that on what? Sending someone a message to give them a heads up on their security, no matter the medium used, is not malicious behavior, if you feel it is .. well, the world must be a very scary place for you.

With all respect, obviously you was able to reproduce the bug and fix it. Maybe you forget, that language barrier to Palestine can be an issue too, so because you make not clear what you asking for, when he send you back a link. Obviously it is more work to post on Mark Zuckerbergs Page than respond in the way you want.

Plus i am very sure, the mistake was on Facebook ends in the first place. I experienced it myself: Since 6 month now i try that Facebook take action, because the break of privacy issues and violation of Facebook terms by a Facebook user - i even not give an response on any channel in tried.

If you really do not give him his reward for the Report and keep you informed, than this is extremely unfair from facebook end. IN this case i strongly recommend WhiteHat Hackers in future cases: Do not count on Facebook Team, publish bugs and security issues on Blogs. Obviously the Facebook team give priority not based if a problem is urgent, only how "public" it is.


Frank, this is a wonderful rendition of horrible grammar.

The attention this guy is getting is worth dramatically more than the $500, whether he intended this impact or not.

In all honesty I think you guys are being extremely harsh with a man that has pointed a huge problem on your website. He has done Facebook a huge favour and instead of paying him, you have the nerve to refer to a TOS not written in his first language as an excuse. This will lead to bad publicity for a multi million dollar company like yourselves. The man looks really poor and if he wanted to he could have made a lot of money selling that exploit to spammers. However he decided to do the ethically right thing, only to be stabbed in the back by Facebook. I cannot believe that a company of your size and magnitude would stoop so low, its pathetic!!!! Just on that basis I will boycott Facebook as your organisation seems to have lost all of its good morals!!!!!

By him demonstrating something which Facebook clearly stated "...is not a bug" at the time, Facebook can't claim he violated the ToS. If it was not a bug, he was taking advantage of a feature which Facebook gave him the liberation to by stating so. The moment Facebook claims it is a bug, that contradicts what Facebook told him in the email, and thus it is Facebook's fault, not his. Facebook REALLY should not have said "this is not a bug." Facebook then had few options: to leave this as a feature (which is ludicrous), or treat it as a bug and redact what was stated in the email, which means Facebook should pay the damn man. You can't lie in an email and then pull a 180 when it's convenient for you.

What you've just done is create a disincentive for "researchers" to report vulnerabilities to you. The next time Kahlil or someone else finds a vulnerability (and there will be a next time), he/she/they will simply use it and/or sell it. Kahlil did the right thing, at the end of the day, and only broke Facebook protocol in order to get your attention because you ignored his first (legal) notification of said bug. If you don't pay him, you'll have a hard time with credibility in future cases.

In addition to all of that, it's the right thing to do.

You stay classy Facebook.

If you admit that "you should have pushed back asking for more details" than you should also admit that because of that, you are partly liable for the fact that he did go beyond the explicit rules. Now, are those rules also in Arabic? Also, how are you to encourage users to work with you in a quick, efficient manner, if these kinds of things are bogged down with red tape? It's only $500. Perhaps, you should change your rules to make the system for bug reporting easier, efficient, and a bit more egalitarian. Best, LJ

Rules are meant to be broken. Pay the man, he saved the company money.

That's ridiculous, he didn't use the accounts of real people. Real people wouldn't have elicited the FB security team response within minutes. Real people don't have a "follow" button on their wall. He used the one account that got your attention and was not malicious and he deserves to be paid. You know damn well your terms are meant against maliciousness and spammers. Your stance is petty.

You guys should hire the guy since he showed the world what a big flaw that was, instead of selling it he kept on trying to tell to the company. He should be seen as a hero by Facebook!

Shows how many issues there should be that are not taken into account.

BTW: English not being the primary language for these folks has not to do with anything, shows how much stereotype there's in being American or not. It's a global world, wake up!


I think we all know the signal-to-noise-ratio on the internet is a bit whack. So it seems entirely plausible that this was all due to an improperly formed submission.

That being said I think Facebook could have given the reward and a slap on the wrist at the same time considering the language barrier.

Considering the language barrier, a slap on the wrist is less appropriate. Facebook could have used this opportunity to publicize explaining to Khalil that his bug finding techniques are not in accordance with the guidelines and garner good will by paying him the $500 as an exception to the rule. The media would be frantically covering how facebook in spite of its guidlines decided to thank the person who reported the bug and overlook an apparently innocent mistake. A missed opportunity on facebook's end.

So the security person who said "This is not a bug," - what's happening there? If they had guided the guy reporting the bug, asked for more information or directed him to the expected methods for reporting, then this would have likely gone completely differently, right?

By the time he'd reported it, he had already used the exploit to post on a live, non-friend, account. As far as I understand , that's already a violation of the TOS.

It's fairly obvious he didn't understand the whole whitehat accounts he should have been using. English isn't his first language, so should we fault the guy for that - or Facebook who's an international company - with 1+ billion users? Or should Facebook own up to that they should probably update their documents - or give the guy a fucking break because they haven't done that? This is where you need REASON to react REASONABLY, and not just use a blanket statement to "make their life easy" in decisions like this. That's lazy and inhumane.

They're not faulting the guy for not having english as a first language. They're not rewarding him because he broke the TOS.

Highly unfair that you aren't paying him, TOS or not. Additionally, one could argue that your TOS is bad to begin with. It could be re-written to properly account for this situation. This guy did not have malicious intent - that is the bottom line and all that matters here.

Whatever! Facebook should pay him for figuring out the BUG in the system.

You could have just replied with the name of a test account and told him to post to that one to verify the exploit. In that way you would avoid any permission problems with real accounts.

Clever solution. You should go work at faacebook.

Pay the guy! He could have sold it and made lots of money. He was trying to do the right thing. Too bad he had to go to such extremes to get someone's attention.

"and we have paid out over $1 million to hundreds of reporters"

So each reporter received approx. $1000? That's all?... Heh, Facebook is very greedy company.

Why doesn't Facebook just create a live account that is set-up to see if it can be hacked? Or does that exist and I completely missed the point?

How come you didn't have unit tests that tested this scenario on the server-side services?

Just empty talk.


If the content of the reply is so easily objectionable, you should probably be arguing on the basis of what it says.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact