"Can't pay him" sounds like bureaucracy BS. I'd argue that it's in their best interest to find a way to pay him. Why make people jump through hoops to report an exploit in your product?
However, it also sounds to me like an opportunity for a bug / exploit reporting proxy business that validates, reproduces, and polishes reports in bulk. You most certainly could extract a much higher bounty per report.
"Can't pay him" doesn't sound like bureaucracy BS, they don't pay him because he violated the TOS, it's on purpose. We could argue this is stupid and the TOS should be changed, but I can understand why they specify that in the process of reporting a bug you use a test account. Violating a real user privacy to report a bug isn't the proper way to report a bug. If they made an exception with this guy then they would have to make more exceptions and possibly set a bad precedent.
I disagree. I don't think that making a case by case assessment is opening the floodgates (that argument is exactly what I would call bureaucracy BS). For an exploit of this severity I would expect them to be grateful to someone who was obviously not being malicious regardless of some silly policy.
Well, we don't need to assess fictional scenarios, we can take a look at what this hacker has achieved.
1) Lots and lots of negative press. (we wouldn't talk about this if this wasn't true)
2) Embarassing the CEO of a company and thereby also hurting the reputation of his company
3) And on top of that he breached his privacy
And you still think that they treated him too harsh by withholding payment?
I mean couldn't he have waited a few more days or reopen the ticket - or maybe just use Facebooks test accounts?
It's not like he waited for ages, he brought this bug to attention last friday.
But yeah, waiting a whole weekend was probably too much for him to take, so he obviously had to post on MZs wall.
It would be great if they said "We can't pay him" publicly then just cut him a cheque privately with the understanding that he not tell anyone he got paid. This way, they can go on with the TOS saying you can't affect real users with your hacks, and the dude that blew the whistle gets the reward.