Hacker News new | comments | show | ask | jobs | submit login

Not sure what you mean by "again".

> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.

I don't see why that is. They already provide the following caveat:

> When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.[1]

So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either).

I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right?

[1] https://www.facebook.com/whitehat

Immediately following that quote: Do not interact with other accounts without the consent of their owners.

He didn't try to reproduce the bug with a test account though. If he had and it hadn't worked, the fact that he then used a real account would've been acceptable.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact