Hacker News new | comments | show | ask | jobs | submit login

Oh man! If only they could fix the situation!

You're willfully ignoring what the situation actually is.

The situation is the guy in good faith tried to give them repro steps and report a critical bug. Technically he fucked up and didn't do it on a white hat account. No harm was intended or done. They are denying him his reward based on a technicality. If that FB employee is not some lawyer trying to cover their asses, then he should want to pay this person and make it happen via some exception. If they truly didn't care about the money and wanted to pay more bounties they would do this. There is no danger of ruining the integrity of the ToS as another replier suggested. In future incidents they are free to not make an exception. In this case, it was all in good faith and the guy didn't know the proper procedure.

They're not "denying him the reward". He demonstrated the vulnerability on someone's actual account. They can't pay people to fuck with other people's accounts. That's not what bug bounties are about. Only on a message board is this hard to understand.

A very specific message board, it seems like. /r/netsec is having no trouble understanding it.

Which leads me to believe most people commenting are not doing so with an actual understanding of the situation, and are instead viewing this solely as Big Bad Facebook vs innocent hacker.

"Paying people to fuck with people's accounts" is a pretty dishonest way to frame this.

No, you just refuse to think about the larger picture. I went out of my way to say that this person wasn't deliberately harming anyone.

You're acting as if there's no precedent implicated in Facebook learning of someone violating both their normal ToS and the terms of their bug bounty program by compromising someone else's account, and then paying them a reward.

You're wrong about that.

I went out of my way to say that this person wasn't deliberately harming anyone.

Saying someone fucked with another person's account implies otherwise.

He didn't f* up Zuck's account. Just making a wall post on some account doesn't f* that account in any way.

It's still a violation of privacy though, and these are viewed as serious by the ToS.

It's understandable it's just not the right mentality towards someone that hacks for profit and bug bounties generally target this ($500 though is hilarious). Effort and time is supposed to be directly related to payout, if it takes more effort and time for less of a payout then the bug reporting is broken.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact