When Khalil Shreateh exploited a Facebook bug to post on Mark Zuckerberg’s wall, he wasn’t trying to cause trouble. He wanted to help Facebook out (and possibly make a few bucks in the process).
Facebook, however, doesn’t see it that way. While the company has already rewarded hackers $1 million for reporting bugs, it’s refusing to pay up for Shreateh, whose reporting methods it says violated its terms of service. As it turns out, Facebook isn’t too crazy about people hacking their way onto the wall of its CEO.
“We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users. It is never acceptable to compromise the security or privacy of other people,” Facebook chief security officer Joe Sullivan write in a blog post this week.
Recognizing that Shreateh may never get the money he’s technically owed, his supporters are paying him themselves. Marc Maiffret, the chief technology officer of cybersecurity company BeyondTrust, launched a donation campaign for Shreateh, which has raised over $11,000 in less than a day.
Here’s how Maiffret sees the situation:
Khalil Shreateh found a vulnerability in Facebook.com and, due to miscommunication, was not awarded a bounty for his work. Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone.
The “miscommunication” in this case refers to the way Shreateh reported the vulnerability. According to Facebook, which gets millions of so-called “bug reports” a day, Shreateh’s initial messages to the company weren’t detailed enough, which is partially why the researcher was initially rebuffed. Facebook may be partially to blame, but Shreateh’s still not getting his money.
Facebook’s stance here is understandable: While the company is fine with hackers finding and reporting bugs, it wants them to do so both ethically and quietly. Shreateh’s methods were neither ethical nor quiet, but it’s clear that Facebook is on the wrong side of the debate in this case.
The situation is actually pretty ironic given Facebook’s infamously hacker-friendly culture, which encourages employees to “move fast and break things.” Apparently, “breaking things” doesn’t apply to the rules.