Fact: All software has bugs. Applications are very complex and there are always going to be errors that the developers didn't catch. This simple truth is the reason why many software companies offer "bug bounties," cash prizes for bringing these issues up. The thought is that not only does it help make the software more secure, it helps motivate the good guys to find the problems and report them instead of having the bad guys exploiting them without anyone knowing about it. Facebook created their own bounty program two years ago.
Late last night, RT News reported that a security researcher from Palestine by the name of Khalil twice submitted a bug report to Facebook's security team. The second response simply said, "I am sorry this is not a bug." After getting nowhere trying to convince Facebook security of the problem, Khalil decided to go directly to Facebook CEO Mark Zuckerberg
Dear Mark Zuckerberg,
First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team .
My name is KHALIL, from Palestine .
couple days ago i discovered a serious Facebook exploit that allow users to post to other Facebook users timeline while they are not in friend list .
i report that exploit twice , first time i got a replay that my link has an error while opening , other replay i got was " sorry this is not a bug " . both reports i sent from www.facebook.com/whitehat , and as you see iam not in your friend list and yet i can post to your timeline .
this is the last email i sent including the Facebook team replay .
https://pastebin.com/zzi2WYK6
i appreciate your time reading this and getting some one from your company team to contact me .
sincerely
khalil
Within minutes of posting the message to Zuckerberg's wall, someone from Facebook contacted Khalil requesting all of the details of the exploit. The company then blocked his account while they worked on a fix. The issue was quickly fixed by Facebook's engineers, but the company is now refusing to pay the bug bounty because they claim his actions violate the terms of service.
While they may be technically correct -- he should've created a test account instead of first posting on a random woman's wall -- we feel that he was following the spirit of the rules and should still be paid for his finding. Facebook has no cap on the amount they pay for security issues, but the minimum amount is $500.
Cynics are saying that this actually may not have been a bug, but rather part of the NSA PRISM program used to spy on people, but we find that hard to believe.
Source: RT News
51 Comments - Add comment