Facebook vulnerability 2013(khalil-sh.blogspot.com) check this article , and guess what !! facebook pays me nothing . http://khalil-sh.blogspot.com/p/facebook_16.html |
Facebook vulnerability 2013(khalil-sh.blogspot.com) check this article , and guess what !! facebook pays me nothing . http://khalil-sh.blogspot.com/p/facebook_16.html |
At first Facebook was similarly dismissive that it wasn't a bug. My friend pushed a bit to convince them with additional details and examples of how it could be easily used for exploits. They finally saw the light. The bug was fixed and my friend got paid $1K which wasn't much for the bug's seriousness. In any case it got fixed and my friend got acknowledged so it's OK.
It's a bit of a pity, thought, that they didn't see it to be serious at first. I would have expected any mediocre engineer to skip a hearth beat when learning of such a bug in their system.
Come on guys, just give him the money.
Every security report should be taken seriously regardless it comes from a well known expert or just a guy from Palestine.
Maybe Mark should just hire the guy to replace the initial bug responder.
PROTIP: Reports should have PoC and be concise. No information about your bachelor degree should be attached.
http://www.reddit.com/r/netsec/comments/1kkvei/user_reports_...
And hats off to Khaled. Hebron is not a fun place to grow up, and making it that far, a B.S. that is, is an accomplishment. I grew up with far more privilege and I am still not smart enough to come up with Facebook exploits.
It reflects incredibly bad on their relationship with the tech community and I am sure we will see some superficial backpedaling very soon.
You act as if corporations maliciously "screw their customers over". See the responses below and you'll see that in this specific case FB actually wins out when they pay more to their whitehats.
I hate to single out your specific response, but it's comments like this (and the other 90% on this thread) that remind me how very few people on HN have experience with businesses at scale. classic old and inflexible corporation or let's just call them "enterprises" create policies so they can protect the highest number of cases available, but not all of them. It would be silly to think otherwise.
Your answer - 'its not a bug its a feature'
1) Getting the target user's userId. This used to be part of a user's profile URL but Facebook allowed people to choose a "vanity URL" quite a while ago, so they're no longer as visible. So, instead, the userId is obtained from a FB Graph API query.
2) The form that makes up the "post to newsfeed" has a bunch of hidden inputs. One of them refers to a "xhpc_targetid" and this is probably where the target userId is injected. It's normally set to the current user's id for a default newsfeed post. These values in the DOM are modified during the exploit using something like Chrome Developer Tools on-the-fly and the form is submitted.
If this is truly the case (and I haven't verified it myself) this means that the server side is not really checking permissions and just blindly trusting the client input. Reminded me of this recent (http://arstechnica.com/information-technology/2013/08/how-ea...) article about trusting client input.
Ad Board Chairwoman: Mr. Zuckerberg, this is an Administrative Board hearing. You're being accused of intentionally breaching security, violating copyrights, violating individual privacy by creating the website, www.facemash.com. You're also charged with being in violation of the University's policy on distribution of digitized images. Before we begin with our questioning you're allowed to make a statement. Would you like to do so?
Mark Zuckerberg: I've... [Mark stands up to make his statement]
Mark Zuckerberg: You know I've already apologized in the Crimson to the ABHW, to Fuerza Latina and to any women at Harvard who may have been insulted as I take it that they were. As for any charges stemming from the breach of security, I believe I deserve some recognition from this Board.
Ad Board Chairwoman: I'm sorry?
Mark Zuckerberg: Yes.
Ad Board Chairwoman: I don't understand.
Mark Zuckerberg: Which part?
Ad Board Chairwoman: You deserve recognition?
Mark Zuckerberg: I believe I pointed out some pretty gaping holes in your system.
----
The similarity is uncanny.
Paying out a bounty in that situation would be legally risky. Would advise against it.
Facebook's ToS forbid you to compromise other users accounts in any way. Its bug bounty terms require the consent of any accountholder used to search for bugs. It's also bound by California laws regarding breach notifications. And over the long term, it must retain the ability to enforce its own ToS. These are just the objections I can think of.
If you're going to participate in a bug bounty program --- and you should --- don't use non-consenting accounts to do it. This is a simple issue that's been blown out of proportion by message board pathology.
For all we know, the reporter might have thought, "This will never work" or is not up to speed on or didn't understand the rules. Facebook certainly didn't help him, at every turn, including the last email "Sorry, l2p."
In the first email, Khalil simply says that he can post to Sarah Goodin's facebook wall. He makes no mention of the fact that he and Sarah Goodin aren't friends.
The Facbook engineer replies that he is unable to see anything from the link that Khalil sent. This is because the engineer and Sarah are not friends.
Khalil responds with a screen shot of the post. Again, Khalil makes absolutely no mention that he and Sarah are not friends at all. In fact, at this point it would appear that Khalil is friends with Sarah, as he states that only her friends can see her wall. I guess he is able to see the post he made though.
At this point, Khalil decides that the only course of action is to go post on MZ's wall. How is that sort of escalation appropriate? By paying Khalil at this point, all you are doing is telling people that MZ's account is a an acceptable place to report vulnerabilities, which is a horrible precedent to set.
Otherwise, next time him or any of his friends find a vulnerability, they'd be tempted to share it with the people who would reward them, since they've seen firsthand that their reports to facebook seem to just get ignored. When you consider that his entire region is in turmoil, and that social media is clearly playing an important role in the uprisings across that region [whether you agree with them or not], you'll understand our reasons for insisting that his efforts be rewarded somehow.
Edit 1: Not suggesting that fb intentionally ignores their reports for poor English or any other reason, but that's clearly the impression they're getting.
Edit 2: And while I have no reason to believe that this guy (Khalil) would ever report a vulnerability to some dictator's security forces, others who have seen this story might. And those who have seen this need not be his friends either, since it's on HN, /r/technology, and elsewhere.
Edit 3: As tszming suggested, if you don't want to risk setting a precedent by offering cash, you could perhaps sponsor an all-expenses-paid trip (with no implications of future employment) for him to visit Facebook HQ. Granted I don't know the legal implications of this, but it does give you a chance to buy this guy lunch and tell him in person that you do appreciate his efforts, motivate him to continue reporting any vulnerabilities he finds, and tell him to encourage his friends to do the same. Actions speak louder than words, and there's no question this would have a far bigger impact than the dismissive two-liner he received, even if the intention was the same.
When the top guys behave like this about rules, it clearly shows a lack of conscience. Rules are made to keep 99.9% of mess at bay.
This guy invaded the privacy of say 1-2 people that too to when the relevant authorities didn't respond in the correct manner, and saved the invasion of privacy of millions at least.
And what privacy? only a relevant post (not a spam) on profile of the company's biggest authority.
Yeah someone probably died of laughter from that post/ breach of privacy... So DUMB!
But perhaps the bug-hotline gets so much spam that the OP came off as junk email to the FB dev team? Just skimming over his email, I'm struck by how much poor punctuation and capitalization triggers my mental spam alert (and that's before even reading the actual contents).
Shame on Facebook for dismissing this guy's reward due to the lazy actions of one employee. It would have taken one question, or one 5 minute validation of the claims to make this a non issue.
Edit: I'm sure Facebook engineers have something a bit more advanced that this:
https://www.facebook.com/zuck?and=khalil.shr
This link works if they know each other. Try going to your profile and adding ?and=zuck for instance
Edit: It was a tame music video. On the spectrum of demonstrating to a test account all the way through to selling his discovered flaw to actual spammers, I rate this at the low end.
Unfortunately, that didn't work either.
The TOS stuff i think i a bit shity. Partly cause they made him do it(more than necessary)
> Nope that's not a bug.
What did you expect him to do? Learn English on the fly? Conveying specific technical things is a difficult skill to learn even for native English speakers.
Sure his communication isn't the best, but neither is "I can't click that link" nor "This isn't a bug."
Pasting a link to a Facebook profile does not explain the exploit.
They're still visible in photo albums and the like. Far from hidden.
Coincidentally, that bug was also exposed by a non-native English speaker who was dismissed for his inability to fluently express himself.
On this topic: i still have no clue what vulnerability it was. Guy, do you know such terms XSS, CSRF etc? Can't u just say where's the bug, nobody wants to watch 6 (!) minutes long video with arabic subtitles rofl. peace
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it's sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
As you can see at https://www.facebook.com/whitehat, in order to qualify for a payout you must "make a good faith effort to avoid privacy violations" and "use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners." Unfortunately, the OP did neither of those things. We welcome and will pay out for future reports from him (and anyone else!) if they're found and demonstrated within these guidelines.
I just looked at it, then switched Facebook to Arabic and the TOS is magically still in English (edit - and right aligned really badly as the page evidently expects arabic). If you demand that the TOS is followed by people who do not have English as a first language, try offering a translation.
This guy has done you all a service. The chances are that he may not have been able to clearly read the TOS that you wish him to abide by. He should get paid.
edit - hmm, was about to check the situation with other languages, however now all the buttons are in arabic so I stopped bothering after the fourth random page.
He stumbled around a bit trying to work out how to help, but he brought a flaw to your attention in what he thought was a polite way. If unleashed, this bug could've been used to wreak havoc on Facebook and damage the company's reputation. $500 is the very least FB should be paying.
At the moment the loud and clear message is that there are far more welcome places than Facebook to report found issues.
Additionally, if you're not logged-in, then the test accounts page doesn't work. It redirects to the same page as facebook.com/whitehat, with no notification that the test accounts page even exists.
You should really pay him.
The right thing to do is add Khalil to the white hat list, and pay him what he deserves. He doesn't speak or read English as you have noticed. Your TOS for white hat page is NOT even translatable.
He used real accounts because your team did not care what he had to say. What do you think he should have done? Sell it to the black market?
But couldn't your team be a bit grateful? Though he did post to Zuck's account, he didn't sell the vulnerability as a zero day on the black market, no?
A cheap insurance policy, making the payout, cultivating trust with white hats who are nonetheless decidedly a bit bone headed (if not well meaning).
Alright, here's a preemptive question for you then.
Should a logged in user be able to retrieve the email addresses of an arbitrary friend, regardless of their contact privacy setting being set to "only me"?
You all are lucky that people are sharing this stuff with you guys for $500 instead of on the black market for much more. You're also lucky that people are doing the job that highly-paid Facebook engineers should have done. And if I read between the lines of your post, you and your team think that you're pretty clever.
The right thing to do is to cut this guy a check for $500 and keep your mouth shut, before people stop reporting security bugs to you.
I know I'm already discouraged--if I find anything, the last thing I want to deal with is a mediocre engineer telling me I didn't fill out the TPS form the right way.
the language barriers are enough to justify any mistakes made in conforming precisely with the t&cs. he didn't abuse the hack. he reported it to you. pay him tbh.
"So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people's Walls, he reported it to Facebook.
That bug is a spammer's dream. To prove his bug was real, Shreateh posted something to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg.
He then contacted Facebook's security team with the proof that his bug was real, he explained in a lengthy blog post. Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that Shreateh shared.
Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall."
You discover a bug on FB just by being a normal user not a "whitehat" security user:
* You discovered it by doing "something" to someone else account --> FB will not pay : SELL on black market.
* You think the bug isn't really a bug but then it happens again --> FB will not pay : SELL on black market.
* You have a life that you don't want to waste with reading through legalese and filling out forms. FB says it is not a bug. Maybe they are right? You don't want to spend the time arguing about it over email --> SELL on black market
* You are not a lawyer, or do not do security testing full-time on FB. Or you are a normal user who has not kept on the FB ToS now that we are on the 100 billionth version --> You probably did something wrong. --> FB will not pay : SELL on black market.
* You are a US citizen and do not want to be charged with CFAA violations as a hacker --> SELL on black market.
Otherwise,
FB might give you some money.
For a better PR, pay him and use this case as an example to teach the future whitehats. FB has low esteem for a reason.
It's pretty arrogant of Facebook to redefine the meaning of white hat don't you think? Posting to the Facebook founders page to let them know of a security vulnerability is not malicious, plain and simply, not. Trying to steer the embarrassment of your failings because this guy didn't read your TOS is incredibly hypocritical.
Plus i am very sure, the mistake was on Facebook ends in the first place. I experienced it myself: Since 6 month now i try that Facebook take action, because the break of privacy issues and violation of Facebook terms by a Facebook user - i even not give an response on any channel in tried.
If you really do not give him his reward for the Report and keep you informed, than this is extremely unfair from facebook end. IN this case i strongly recommend WhiteHat Hackers in future cases: Do not count on Facebook Team, publish bugs and security issues on Blogs. Obviously the Facebook team give priority not based if a problem is urgent, only how "public" it is.
Frank
In addition to all of that, it's the right thing to do.
You stay classy Facebook.
Shows how many issues there should be that are not taken into account.
BTW: English not being the primary language for these folks has not to do with anything, shows how much stereotype there's in being American or not. It's a global world, wake up!
BR,
That being said I think Facebook could have given the reward and a slap on the wrist at the same time considering the language barrier.
So each reporter received approx. $1000? That's all?... Heh, Facebook is very greedy company.
"We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
We have now re-enabled your Facebook account.
Joshua
Security Engineer
Facebook "I can already picture people saying "of course, Mark Zuckerberg would refuse to acknowledge the work of a Palestinian." (regardless of the fact that Mark Zuckerberg describes himself as an atheist)
As many others have said: The TOS was only available in English and that's not his first language. He did the only thing he could to get your attention and fix the problem.
Most certainly, this chap should have followed proper decorum by consistently petitioning Facebook to pay heed, by filling out the necessary forms and ensuring a stamped, self-addressed envelop was also included should they choose to write to him at a later time.
And then to go and expound his savagery to the Noble CEO's account, an utter insult to civility indeed! (Yes! I'm being sarcastic)
In the comments of the blog post, Khalil admits that it isn't that he has a poor understanding of the english language, it is just that he doesn't care.
> whatever , i dont care for miss spelling , just the idea , i never correct an underline red word ;)
So we have a guy that doesn't give a crap about communicating correctly, who then complains when he is not understood.
I'm sure the FB security team triages a lot of bug reports, and a few get away - hopefully they'll be better about trying to get more info (boiler plate requesting steps to replicate or a video), but beyond that no harm no foul. I can also see that they don't want to encourage researchers messing with real user data. However, if they paid him out and told him in the future, that he should provide more information and not use real accounts (or not get paid out, etc), that'd have the same effect (you know, since it already happened) w/o the bad will generated.
Instead, they didn't pay him, locked his account, and now we're reading that blog post, not only encouraging him and the people like him in the future to not submit these bugs in the future (certainly serious enough that it'd be worth discovering vs being in a 0-day marketplace), but generating way more visibility for no good reason. It's just not smart.
Through my sarcasm I was trying to convey the often imperialistic (and in my opinion useless douchebaggery) view we tend to take on certain matters and people, which, I believe, hinders communication and progress in general. It's not just a language barrier, it's a cultural barrier. One that exists even between people who speak the same language. (Don't know if the social media movie scene with Zuckerburg being reprimanded by Harvard was based on real events or pure fantasy, but that's a good example)
So he ignored some squiggly red lines, maybe his command of English is marginal. Maybe he's worried about bullets possibly flying over his head in a few minutes or in a situation that many of us in the west couldn't fathom. I've had to communicate in Spanish before and I know I probably slaughtered the grammar, spelling and more, but at that time I was trying to convey an important message. Fortunately the people I was speaking with were very kind and patient. They listened and somehow understood the sentences and symbols I had cobbled together.
We have this whole attitude that if someone doesn't fit our cultural context in language or behavior, their are somehow inferior, is absolute BS. I have seen programmers with a an accent perceived as being "dumb", while in fact they were far better than their peers. I myself have been subjected to this type of bias, when I forgot to follow some proper decorum somewhere, simply because I was broke and had more important things on my mind. This is typical of out-of-touch monolithic institutions and the type of thinking that goes with it. It's outright absurd and funny, just like my sarcastic comment :)
Here are I couple I found:
http://blogs.msdn.com/b/oldnewthing/archive/2011/12/15/10247... http://blogs.msdn.com/b/oldnewthing/archive/2008/03/14/80801...
Before contacting the submitter, we want to be sure that we weren't missing something, but after looking at it from every angle, we still couldn't see what the issue was.
...Stumped, we contacted the submitter. "From what we can tell, the call to system takes place before you call the LoadKeyboardLayout function. Can you elaborate on how this constitutes a vulnerability in the LoadKeyboardLayout function?"
This is like getting PR advise from a lawyer when there is trouble coming your way. Sure, the lawyer will tell you to repeat "no comment" or deny any involvement over and over again. That might be the right strategy in a legal sense and work out fine when nobody is watching.
But you are loosing in the court of public opinion when the public perceives your actions as unfair. And denying some kid a few hundred bucks even so he found a legit hack just because he didn't follow some proper corporate policy guideline does definitely reflect negatively on Facebook.
And what do you propose the alternative? A legalised document that outlines every "if this"-"then that", in every language, continent, dialect, etc.? You know how that story goes...
> And denying some kid a few hundred bucks even so he found a legit hack just because he didn't follow some proper corporate policy guideline does definitely reflect negatively on Facebook.
You know what makes Facebook look even more negative? The future precedence set when good-will hackers think it's OK to use a non-test account and drop the exploit on the CEO's page.
I know it's hard for the HN community to do so, but let's try practicing some empathy with both sides before we pick up the pitchfork.
Obviously I don't love the end outcome, and this would have gone better for all parties if he had used a test account and included some kind of repro instructions (like that video) in the initial report.
Clearly, but that's not really something you can control. From your perspective, the other side of the tradeoff with "hurting real user accounts" is "leaving open a huge security hole", not "being mean to whitehats when they screw up". I don't disagree that the guidelines seem quite reasonable prima facie and perfectly fair to to the whitehat in some moral sense, but it's unclear if they're actually working. It boils down to, if you had to choose between finding out about this security hole the way you did or not find out about it at all, which would you choose? How many not-quite-so-aggressive versions of this guy are out there, and how many holes are you leaving on the table? Edited to add: If an important way of finding vulnerabilities is people breaking the rules, then the rules suck, regardless of their intrinsic fairness.
It could well be that keeping not-great-communicator/guideline-follower whitehats from reporting some number of bugs through questionable means is actually worth those flaws sticking around. Of course I don't see the daily flow of vulnerability reports to FB (or all the ones that don't ever get reported), so I don't know. But it sounds like a harder question than you make it out to be.
We all know this person had good intentions. But good intentions aren't always enough. Facebook doesn't appear to be freaking out at him. They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
If only you could do something about it to make the end outcome more ideal.
You should be rewarding him, not discouraging him.
I know arguing with someone as stubborn as you is useless, but what can I say?
Consider what motivates people more deeply.
If they bothered to look at his profile (it's public), they'd see he looks to be a great fan and tinkerer on the Facebook platform.
Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.
If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?
They might even throw a little fanfare his/her way to send a message that the bank appreciates being told and not robbed blind. (Especially given that they're a "community bank" built by pioneers and not a monolithic marble statue institution :-P)
However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.
Lesson learned: Find a security hole, report it to Facebook, and they don't respond after two attempts? Sell it as a zero day.
Incentives matter. And there is always money to be had somewhere else.
When an employee whose job it is to evaluate security issues says "this is not a bug", that determination carries the force of law the same way as if it appeared in the TOS. You cannot rely on people to follow some nebulous "spirit of the TOS" when meanwhile your employees have already made a contrary specific determination for how it applies to this particular bug.
"You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
You will not create more than one personal account."
It's translated. I believe it requires you to be in a local to get this page to display automatically. It certainly exists for people creating accounts in arabic, and absolutely includes the relevant lines.
Thinking otherwise might be idiotic too, but that's besides the point.
"Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing."
Which leads me to believe most people commenting are not doing so with an actual understanding of the situation, and are instead viewing this solely as Big Bad Facebook vs innocent hacker.
This is like... the textbook definition of a hack.
> however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.
I love that this statement is downthread of a Facebook engineer's comment that states he considers the guidelines reasonable. It's as if you're just a drone following written orders without the ability to make compromises.
>This is like... the textbook definition of a hack.
Perhaps of "hacking FB", but he didn't "hack an account".
I don't see what the problems are for FB here. They have a moral obligation to reward him for reporting this bug, especially since their ToS are apparently not available in Arabic. Claiming that he showed any sort of malicious/inappropriate behavior is a really bad tactic to save some money when they clearly handled this very badly from the start, while his intentions were obviously good.
All they are achieving by reacting this way (including the apologets) is that next time, such people will just sell their exploits on the blackhat market.
re: reason; where does his reason come into play? It does not seem reasonable to post to M.Z.'s timeline, I'd guess he did that because he was P.O.ed at being dis'ed by the support people.
In the bureaucratic theory I am aware, if you have rules (policies, proceudres, standards etc.) you need to apply them consistently. Sometimes the rule will allow for discretion, sometimes not. I don't see room for discretion here.
Yeah, rules that don't take into account reason are inhumane. Similarly why we don't just give everyone 10 years in prison because they committed a crime - you take into account all aspects - and not just apply "oh but he committed a crime, so this is the result."
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
I don't see why that is. They already provide the following caveat:
> When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.[1]
So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either).
I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right?
However, it also sounds to me like an opportunity for a bug / exploit reporting proxy business that validates, reproduces, and polishes reports in bulk. You most certainly could extract a much higher bounty per report.
In the appropriate language: https://news.ycombinator.com/item?id=6231153
Otherwise, you should make some good faith effort to not assume devious intentions on someone making a good faith effort to report problems.
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
Technically, according to the security person at Facebook, it wasn't a bug. When he did the same thing again on Mark Z's account, it suddenly became hacking. Yeah, he didn't follow a procedure that wasn't available to him in his native language, but he made a good faith attempt to report the bug, and did so several times.
> But good intentions aren't always enough.
Several attempts to contact them despite being told the actions he was taken was not a bug despite clearly explaining why it was?
You're acting as if there's no precedent implicated in Facebook learning of someone violating both their normal ToS and the terms of their bug bounty program by compromising someone else's account, and then paying them a reward.
You're wrong about that.
Saying someone fucked with another person's account implies otherwise.
The blackhat market for Facebook exploits is not huge because the product is centrally controlled and can be patched at any time. It's not like 0-days for products with individual installations that aren't centrally controlled with forced updates - those are clearly valuable.
No one said anything about a crime. Denial of the bounty is not brutal.
I'm no fan of Facebook, but even I can see why they can't ever encourage such irresponsible behaviour.
1) Lots and lots of negative press. (we wouldn't talk about this if this wasn't true)
2) Embarassing the CEO of a company and thereby also hurting the reputation of his company
3) And on top of that he breached his privacy
And you still think that they treated him too harsh by withholding payment? I mean couldn't he have waited a few more days or reopen the ticket - or maybe just use Facebooks test accounts? It's not like he waited for ages, he brought this bug to attention last friday.
But yeah, waiting a whole weekend was probably too much for him to take, so he obviously had to post on MZs wall.