Recent reports on our whitehat program(facebook.com) |
Recent reports on our whitehat program(facebook.com) |
You don't even have to tell anyone you did it if you are worried about "rewarding non-preferred behavior".
Mute the commercial and watch this video to meet this guy and realize he was trying to help and you were being idiots:
http://www.cnn.com/2013/08/19/tech/social-media/zuckerberg-f...
He hasn't worked in two years and his laptop is missing 5 keys.
Facebook's stance is akin to "we don't negotiate with terrorists". Although obviously this wasn't malicious (or "terrorism"); just a case of a foolish newbie who failed to follow the rules.
How was he foolish? Also the rules weren't written in his first language. Intent matters[1]. Facebook needs to be the first place people like him go, and be welcoming.
Facebook could do many things that don't involve paying a bounty directly. For example they could make a donation of the same amount to a suitable school or charity in his area.
[1] For example we do that when people are killed http://en.wikipedia.org/wiki/Murder_(United_States_law)#Degr...
Bounty programs are not there to create a more appealing market and out-bid the black hat hackers.
He did follow the rules. Just that he didn't know to express them. And what made you think he is foolish?
Now is the time for both sides to make their apologies and for Facebook to reward the hacker.
If people see that facebook back out of paying for legitimate, reported bugs, they'll seek other options to monetize them.
In his report he lacked the communication skills necessarily to make a useful bug report, which after my opinion caused the problem.
If you could create your own "non-friend" user mock object and demonstrate the bug, no one has to parse your bad language. He proved the bug through a live test - doesn't it make sense to provide this kind of testing ground to whitehats?
I'm not a hacker, just a plain old developer. But in my world, when I want to explain something, I do it with test-case code and live examples, not through long-winded emails or bug reports.
That said, facebook will surely find some deal so they end up with positive PR.
If anything, he had great communication skills. He overcame a non-native language barrier, while being conversationally blocked, and still made his point clearly.
Besides, are communication skills the important skill here? I would say, not.
Facebook do not pay white hat hackers at a level appropriate to their skill and work ($1m total? that's all?!) and now it's also clear they are looking for technicalities to avoid payment.
I've reviewed our communication with this researcher, and I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him.
Facebook says Facebook failed communication. "He tried, we failed," is pretty cut and dried.
If you are taking reports from users about security problems, treat every one as real until proven otherwise.
If you say you will pay 500Bucks per Bug reported, you will have a huge Fail rate, even if the Facebook Support is well Motivated after 3hours working, answering to 100Tickets you might not be able to understand something written in that way:
"Rhe vulnerability allow’s facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post … of course you may cant see the link because sarah’s timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority ."
Facebook gives 500$ per Bug reported, which ends up in a lot of Fail reports if somebody like this gets send:
"Rhe vulnerability allow’s facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post … of course you may cant see the link because sarah’s timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority ."
You might mistake it for.
"You can post something on a friends page and you can't see it if you aren't friend with that person"
a) it's called triage and b) you won't want to miss that one report that blows your security wide open.
The point is moot now, facebook says they took note and will ask for more details from now on.
So, by statement still stands. Unless you want to contend that we should assume we know better than Facebook Security and ignore what they says is and isn't a violation/bug?
But the rules exactly say not to mess with real users. So there is not really any "technically following the rules" when he so clearly did NOT follow the rules.
Despite the many headlines talking about the guy who hacked Zuckerburg's Facebook account, I am unaware of any report that specifically calls out the violation of Zuck's account as the reason he is not getting paid. What I've seen are simply citing the fact that Facebook will not pay the bounty if you mess with real users, per the whitehat program's rules. He messed with a real user prior to Zuck... so one can rightfully assume that even if he had not messed with Zuck, he still would not have been paid the bounty. But he also would not have received the press he did.
The purpose of bounty is to encourage white hat hackers to challenge one specific application instead of millions of other applications out there that the white hat hacker could spend his/her time on.
So it's saying "Hey...instead of working on that random application why don't you try to hack us because hey you could earn some money too".
It's assumed that the person is a white hat hacker who would not sell the bug in black market anyways, even if there was no bounty.
That amount for Facebook is practically like a chocolate bar.
They do not want to pay him because he exploited the bug he found two different times, once on the CEO's profile which has resulted in a very significant and negative PR for Facebook.
Facebook will not say "Thanks for creating shitty PR for our brand and damaging our reputation, here have this money"
Whitehat bounty program, as the name implies, is for whitehat hackers.
And whitehat does not mean "Will not sell in black market as long as there's good enough bounty money to be collected".
Facebook is not competing with or outbidding black market rates.
If someone is the kind of hacker who would just go and sell the bug in the black market, Facebook would not want to pay them in the first place.
The purpose of bounty programs is NOT to "encourage black hat hackers to sell their bugs to us instead of black market", but rather it is "encourage white hat hackers to challenge our application instead of millions of other applications out there".