Hacker News new | comments | show | ask | jobs | submit login

Pay the man.

He stumbled around a bit trying to work out how to help, but he brought a flaw to your attention in what he thought was a polite way. If unleashed, this bug could've been used to wreak havoc on Facebook and damage the company's reputation. $500 is the very least FB should be paying.

Exactly, no harm was intended or done. Somebody posting on your wall doesn't even really impinge on your privacy (Hell, for all intents and purposes Facebook do it for profit). Whatever reward, perhaps reasonably reduced, they pay this guy will be cheaper than any bitterness earned from sitting behind a wall of pedantry with big fat righteous grins on their faces.

If they bothered to look at his profile (it's public), they'd see he looks to be a great fan and tinkerer on the Facebook platform.

after being treated this way, i doubt this man (probably everyone who read this) will ever report bugs to facebook anymore.

Agreed, Facebook will not be safe anymore. All these white hackers will sell their exploit to black hackers.

i said that many times , agreed

You're doing good work. Don't be discouraged. You clearly have some talent, and you can do positive good with it. Large companies are wedded to their rules, terms, and systems. As you work more on these sort of things, the process will get easier. As you can see, there are many supportive people here.

if this bug, does what i think it does, this man if met with certain group of people, had the chance to make millions out of this bug.

Is it even lawful for them to pay people that knowingly invade other people's accounts?

Why wouldn't it be? At worst, wouldn't facebook be the aggrieved party, and not another user of facebook?

Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.

If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?

The bank example's a tad off when trying to draw a correlation to this particular case. I do agree with your sentiment though. I would reword it and say: if someone pointed out to a stubborn bank manager who refused to listen that the vault and my h of the bank's money was easily accessible, by taking out afew dollars from the bank & handing it to him. The a very embarrassed manager would be right to reward the person for showing the institutions flaw and not robbing them blind.

They might even throw a little fanfare his/her way to send a message that the bank appreciates being told and not robbed blind. (Especially given that they're a "community bank" built by pioneers and not a monolithic marble statue institution :-P)

Posting something on someones wall isn't so much invading as it is leaving a sticky note on their door. By that metric UPS invades peoples homes quite regularly when they fail to deliver a package. Had he actually accessed any non-public details of a users account that might be one thing, but the only data he was able to view was the post he had created himself. In short, it was his data, from his account, it just happened to be located on someone else's page. Honestly it's not even that bad of a vulnerability, more like a mild nuisance.

They will pay for reporting of the bug. What's with the apparently intentionally inaccurate description of his actions? All he did was post to someone's wall, that's hardly "invading someone's account".

He posted something to them - he didn't access them.

I chose my words carefully.

Invading means to enter, and he didn't enter anything. He posted a link through Facebook's buggy system. The end.

Yeah this sounds like a super productive discussion.

Especially when you start using argument tactics like belittling.

You're right; I am officially derisive of this discussion. You know I'm not making an argument by trying to characterize this person's actions as malicious, but you keep raising that idea as an issue, because you actively don't want to understand what's happening in this situation, but would prefer instead to demonize Facebook's security team.

Demonize the security team? I never implied that anywhere - please don't "put words in my mouth."

I think you are here: https://news.ycombinator.com/item?id=6231466 . And please don't bother defending, just dropping by.

K. I won't point out to you why you're mistaken.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact