Hacker News new | comments | show | ask | jobs | submit login

So if a security bug was discovered using methods that are against the TOS then the information about the bug is worthless for them and it's better to sold it elsewhere.

The whitehat page explicitly says that you must “not interact with other accounts without the consent of their owners” in order to qualify for the bounty. So yes, apparently Facebook can deny payment and suspend your account if they can reasonably suspect that you violated someone's privacy during bug discovery.

However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.

An argument could be made it wasn't so much the discovery of the bug but rather the manner of reporting it that was a ToS violation.

The payment would ofcourse be for discovering the bug.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact