Hacker News new | comments | show | ask | jobs | submit login

"Can't pay him" doesn't sound like bureaucracy BS, they don't pay him because he violated the TOS, it's on purpose. We could argue this is stupid and the TOS should be changed, but I can understand why they specify that in the process of reporting a bug you use a test account. Violating a real user privacy to report a bug isn't the proper way to report a bug. If they made an exception with this guy then they would have to make more exceptions and possibly set a bad precedent.

I disagree. I don't think that making a case by case assessment is opening the floodgates (that argument is exactly what I would call bureaucracy BS). For an exploit of this severity I would expect them to be grateful to someone who was obviously not being malicious regardless of some silly policy.

How would you feel if he found an exploit that allowed him to make all your private messages public and proceeded to report this by leaking your inbox?

I'm no fan of Facebook, but even I can see why they can't ever encourage such irresponsible behaviour.

As stated, a case by case assessment would most definitely capture this fictional scenario appropriately.

Well, we don't need to assess fictional scenarios, we can take a look at what this hacker has achieved.

1) Lots and lots of negative press. (we wouldn't talk about this if this wasn't true)

2) Embarassing the CEO of a company and thereby also hurting the reputation of his company

3) And on top of that he breached his privacy

And you still think that they treated him too harsh by withholding payment? I mean couldn't he have waited a few more days or reopen the ticket - or maybe just use Facebooks test accounts? It's not like he waited for ages, he brought this bug to attention last friday.

But yeah, waiting a whole weekend was probably too much for him to take, so he obviously had to post on MZs wall.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact