Hacker News new | comments | show | ask | jobs | submit login

"As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs."

I just looked at it, then switched Facebook to Arabic and the TOS is magically still in English (edit - and right aligned really badly as the page evidently expects arabic). If you demand that the TOS is followed by people who do not have English as a first language, try offering a translation.

This guy has done you all a service. The chances are that he may not have been able to clearly read the TOS that you wish him to abide by. He should get paid.

edit - hmm, was about to check the situation with other languages, however now all the buttons are in arabic so I stopped bothering after the fourth random page.

Great point and I hope the FB security team take notice of your post. Whether or not this guy gets paid, I certainly hope they spend the money to get proper translation of their policies in every language they operate in.

They can't pay people to violate their terms of use or to try to violate the privacy of their users. Even if they wanted to, they're probably not allowed to do that.

So if a security bug was discovered using methods that are against the TOS then the information about the bug is worthless for them and it's better to sold it elsewhere.

The whitehat page explicitly says that you must “not interact with other accounts without the consent of their owners” in order to qualify for the bounty. So yes, apparently Facebook can deny payment and suspend your account if they can reasonably suspect that you violated someone's privacy during bug discovery.

However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.

An argument could be made it wasn't so much the discovery of the bug but rather the manner of reporting it that was a ToS violation.

The payment would ofcourse be for discovering the bug.

Good point.

Lesson learned: Find a security hole, report it to Facebook, and they don't respond after two attempts? Sell it as a zero day.

Incentives matter. And there is always money to be had somewhere else.

Well according to Facebook, "this is not a bug". Which means the feature works as intended. If he is using Facebook as it is intended, then how can he be breaking the TOS?

When an employee whose job it is to evaluate security issues says "this is not a bug", that determination carries the force of law the same way as if it appeared in the TOS. You cannot rely on people to follow some nebulous "spirit of the TOS" when meanwhile your employees have already made a contrary specific determination for how it applies to this particular bug.

They wouldn't paying him to violate the terms ... and it's not like Facebook has any problem with changing a user's privacy settings without permission - except I guess we probably somewhere in the agreements agreed to allow that, or not hold them accountable - probably both..

hahaha funny point

Creating a test account is also kind of a violation of the TOS anyway:

"You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.

You will not create more than one personal account."

They specifically allow accounts to be created for whitehat purposes at https://www.facebook.com/whitehat/accounts/

Interestingly, from that page:

"Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing."


It's translated. I believe it requires you to be in a local to get this page to display automatically. It certainly exists for people creating accounts in arabic, and absolutely includes the relevant lines.

Does that page include the whitehat programme TOS, or is it just the general TOS?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact