Recent reports on our whitehat program
facebook.comFacebook, at least send the guy a new laptop.
You don't even have to tell anyone you did it if you are worried about "rewarding non-preferred behavior".
Mute the commercial and watch this video to meet this guy and realize he was trying to help and you were being idiots:
http://www.cnn.com/2013/08/19/tech/social-media/zuckerberg-f...
He hasn't worked in two years and his laptop is missing 5 keys.
Maybe they did. If they followed your advice we'd never know.
I am the only person out there that agrees he shouldn't receive a bounty?!
Facebook's stance is akin to "we don't negotiate with terrorists". Although obviously this wasn't malicious (or "terrorism"); just a case of a foolish newbie who failed to follow the rules.
> just a case of a foolish newbie who failed to follow the rules
How was he foolish? Also the rules weren't written in his first language. Intent matters[1]. Facebook needs to be the first place people like him go, and be welcoming.
Facebook could do many things that don't involve paying a bounty directly. For example they could make a donation of the same amount to a suitable school or charity in his area.
[1] For example we do that when people are killed http://en.wikipedia.org/wiki/Murder_(United_States_law)#Degr...
You have to remember why these bounty programs exist in the first place. The whole point is to discourage people from selling the exploits to more unscrupulous parties. This guy had good intentions and he made a mistake because he wasn't as familiar with the ToS as he should have been. They should warn him about following the ToS in the future, and then they should give him his bounty. Foolish newbies with noble intentions deserve second chances.
I guess next time he should just sell the exploit on the black market then.
If he's the kind who would sell the exploit next time, Facebook isn't interested in rewarding him anyways.
Bounty programs are not there to create a more appealing market and out-bid the black hat hackers.
That's exactly what they're there for. They encourage and reward a white-hat culture.
Bounty programs do not attempt to compete with black hat markets or outbid black market rates.
The purpose of bounty is to encourage white hat hackers to challenge one specific application instead of millions of other applications out there that the white hat hacker could spend his/her time on.
So it's saying "Hey...instead of working on that random application why don't you try to hack us because hey you could earn some money too".
It's assumed that the person is a white hat hacker who would not sell the bug in black market anyways, even if there was no bounty.
> just a case of a foolish newbie who failed to follow the rules
He did follow the rules. Just that he didn't know to express them. And what made you think he is foolish?
Technically, he did follow the rules. Exactly. And was expressly told by a Facebook Security person that what he was doing was not a bug.
His initial bug report included a link to a post he made, using the exploit, on a user's account that was not a friend. The timeline of all that makes it very clear that he violated the TOS, thus the whitehat program rules, prior to reporting the bug.
I know the timeline. As explained by the security person at Facebook, it was not a bug. They were mistaken. However, the fact is, he wasn't penalized for that incident. Rather, the incident with MZ's account.
So, by statement still stands. Unless you want to contend that we should assume we know better than Facebook Security and ignore what they says is and isn't a violation/bug?
You said: Technically, he did follow the rules. Exactly.
But the rules exactly say not to mess with real users. So there is not really any "technically following the rules" when he so clearly did NOT follow the rules.
Despite the many headlines talking about the guy who hacked Zuckerburg's Facebook account, I am unaware of any report that specifically calls out the violation of Zuck's account as the reason he is not getting paid. What I've seen are simply citing the fact that Facebook will not pay the bounty if you mess with real users, per the whitehat program's rules. He messed with a real user prior to Zuck... so one can rightfully assume that even if he had not messed with Zuck, he still would not have been paid the bounty. But he also would not have received the press he did.
This is wrong. The reporting guy clearly had white-hat intent and made an effort to alert Facebook to a real security problem. Because of miscommunication and some poor decisions, a message was posted to another user's wall. There was no malicious intent, this was done as a (admiteddly desperate) part of a conversation.
Now is the time for both sides to make their apologies and for Facebook to reward the hacker.
They're not going to pay him. To do so would be legally risky, and set a precedent that could be helpful to actual malicious attackers in civil litigation. "Don't use accounts without accountholder consent" is the single most important term in a bug bounty; if you don't honor it, you're not participating in the bug bounty, but rather doing something else.
I don't see why paying him would necessarily have legal consequence: Facebook could make a discretionary payment while making it clear it's outside the scope of the bug bounty terms (indeed, by stating that he was doing something else).
Should (will) the next person to post on MZ's wall expect a "discretionary payment" for "doing something else"?
They should pay the guy, not because it's the "right" thing to do, but because it maximises future bug reporting.
If people see that facebook back out of paying for legitimate, reported bugs, they'll seek other options to monetize them.
After reading the messages between the white hat and Facebook, I do believe it is the right decision do not pay him.
In his report he lacked the communication skills necessarily to make a useful bug report, which after my opinion caused the problem.
> lacked the communication skills necessarily to make a useful bug report
If anything, he had great communication skills. He overcame a non-native language barrier, while being conversationally blocked, and still made his point clearly.
Besides, are communication skills the important skill here? I would say, not.
Facebook do not pay white hat hackers at a level appropriate to their skill and work ($1m total? that's all?!) and now it's also clear they are looking for technicalities to avoid payment.
$500 for a bug report. that'll be cheaper than a day's work for one of their developers
Radle, perhaps more communication skills are needed to understand Facebook's response here:
I've reviewed our communication with this researcher, and I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him.
Facebook says Facebook failed communication. "He tried, we failed," is pretty cut and dried.
Caused the problem? The real problem was that someone could post to any user's wall. That was a problem with Facebook caused by its own developers.
facebook's communication skills were not stellar either ('this is not a bug').
If you are taking reports from users about security problems, treat every one as real until proven otherwise.
If you get over 90% fail rate?
If you say you will pay 500Bucks per Bug reported, you will have a huge Fail rate, even if the Facebook Support is well Motivated after 3hours working, answering to 100Tickets you might not be able to understand something written in that way:
"Rhe vulnerability allow’s facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post … of course you may cant see the link because sarah’s timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority ."
Yes.
a) it's called triage and b) you won't want to miss that one report that blows your security wide open.
The point is moot now, facebook says they took note and will ask for more details from now on.
"lacked the communication skills"... seriously? how do you know? just because English is not his primary language and he had hard time expressing himself in an unfamiliar language does not mean that he "lacked the communication skills".
We are not talking about being bad at English we are talking about being difficult to understand.
Facebook gives 500$ per Bug reported, which ends up in a lot of Fail reports if somebody like this gets send:
"Rhe vulnerability allow’s facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post … of course you may cant see the link because sarah’s timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority ."
You might mistake it for.
"You can post something on a friends page and you can't see it if you aren't friend with that person"
I could perfectly understand it and English isn't my first language either. This is just Facebook weaseling themselves out of their promise by using bogus arguments. Besides that: If you do not understand a bug report for a security problem you ask for a clarification. That's what professionals do.
Facebook couldn't care less about the amount of bounty paid.
That amount for Facebook is practically like a chocolate bar.
They do not want to pay him because he exploited the bug he found two different times, once on the CEO's profile which has resulted in a very significant and negative PR for Facebook.
Facebook will not say "Thanks for creating shitty PR for our brand and damaging our reputation, here have this money"
Sure, but the PR will be far more shitty if the reaction of the next hacker is "Sorry, I could have told you about this bug, but I have heard that you don't honor your bounty agreements, so I have sold it to others - Have fun!"
Facebook is not worried about that at all.
Whitehat bounty program, as the name implies, is for whitehat hackers.
And whitehat does not mean "Will not sell in black market as long as there's good enough bounty money to be collected".
Facebook is not competing with or outbidding black market rates.
If someone is the kind of hacker who would just go and sell the bug in the black market, Facebook would not want to pay them in the first place.
The purpose of bounty programs is NOT to "encourage black hat hackers to sell their bugs to us instead of black market", but rather it is "encourage white hat hackers to challenge our application instead of millions of other applications out there".
This is absolutely the right response; I think it's not a stretch that a security report might be provided by a "newcomer" or potentially even a complete layman.
It makes way more sense to offer some sort of sandbox to prove bugs to filter this kind of thing (instead of having less-than-stellar bug responders like the "this is not a bug" guy).
If you could create your own "non-friend" user mock object and demonstrate the bug, no one has to parse your bad language. He proved the bug through a live test - doesn't it make sense to provide this kind of testing ground to whitehats?
I'm not a hacker, just a plain old developer. But in my world, when I want to explain something, I do it with test-case code and live examples, not through long-winded emails or bug reports.
The whitehat program page clearly spells out that you should use test accounts and then links you to a place to view/create test accounts: https://www.facebook.com/whitehat/accounts/
I guess he would have made more money by selling the exploit to someone with tons of fake accounts and botnet. Then they would have used it to flood walls with malware and advertising links and generic spam.
Facebook can't possibly pay him. Exploiting a bug on the live site is not something they can reward, even if they want to. It would set the wrong kind of precedent, signaling that it's OK to do whatever to demo an exploit on Facebook.
That said, facebook will surely find some deal so they end up with positive PR.
This could be soooo easy. Just provide a way to create a temporary account for tests that is not "a real user" and offer it on request. Creating and deleting these should not be a problem - if a report is false, the account won't change anyway.
Facebook already has the ability to create test accounts: https://www.facebook.com/whitehat/accounts/
If these accounts were internally tagged as security test accounts and were created automatically and a security researcher had no control over them (think honeypots), Facebook could monitor changes and see if anything on these accounts changes that should not. As the security researcher does not control the account unless an attack is successful, Facebook can grade attacks without human intervention. I can't see anything suggesting they have such a system in place.
Judging by their response and reference to 'test accounts' this is what they currently do.