Hopefully BeyondTrust will use the opportunity to also train him in responsible disclosure.
Regardless of the response you get from a vendor, you don't make use of an exploit against a vulnerable target. That is the line that separates the good guys from the bad. Period.
Facebook has invested heavily in sandbox environments and automated generation of test accounts with test data explicitly for researchers to help demonstrate vulnerabilities. It is even mentioned many times on the page where you go to find the address to report issues to and learn about the bounty program.
Lets not forget Mark himself was charged with breaching security, violating copyrights, and violating individual privacy by Harvard's disciplinary board for students - he turned out ok.
In order of desirability, the methods of dealing with a discovered exploit are:
1. Report to vendor and do not publicly discuss until they've fixed it
2. Demonstrate the exploit in public to prove that it works
3. Sell on the black market to Mafia/NSA/etc
The guy attempted approach (1), and didn't do a very good job of it, but it seems this was at least in part due to inexperience. Should he have worked more carefully to pursue option (1) first? Sure. But Facebook should have asked him for more information, perhaps pointing him to the guidelines.
So next he went to option (2). Facebook found the bug, and fixed it. Option (2) is infinitely better than option (3). I think Facebook should be extremely grateful to this guy - he even apologised for having to take this option in his post on MZ's wall, after (1) failed. Regardless of his & facebook's mistakes, they still should be thankful for him reporting it.
Option 2 is not "Post on real user's account", option 2 is "create account, use" or "use on established test account".
He was wrong, period, to post to a user's page. 100% wrong, and has no right to ask for the money, because of that. Facebook's response is exactly the correct response - fix the miscommunication, but remain firm in the denial of money to someone who broke clear rules.
There's a difference between "This is not a bug" and "We don't have enough information to proceed with your report. Can you please follow the guidelines here for a more detailed one? Thanks for your help."
If you want responsible disclosure, the guy just did the first step, reporting to your security team privately. Guide him, learn the thing, reward and move on.
I'm torn on this one. A while back I reported an exploit I'd found to a vendor to also get a back a "not a bug" response. Next version in their software had it fixed. They didn't have a bug bounty and I didn't have much interest in it past that I'd rather if fixed that not.
If there had been a small bounty on the line and it would have played out the same way, I'm not sure how I would have handled it. I'm all for responsible disclosure and wouldn't have any interest in posting it online or exploiting it. But what is the correct response if money is owed and you've already shared the exploit with the vendor?
In all fairness he did attempt to report it. Although very poorly. He an email saying in essence 'I found a bug' instead of 'If you change the id on the submit function of the post button you can submit to other walls.' If we would have sent the latter I think they would have paid more attention to him.
And he lives in Hebron in Palestine. How will they give him the money?
Answer: not easily. The financial blocks between that area and the rest of the world are just as real as the geopolitical ones. It will be impressive if they do it, short of a guy meeting him at a checkpoint and throwing an envelope to him.
How will that solve the problem? Great, he'll have a wallet full of bitcoins. How many vendors in Palestine accept them as payment for goods & services?
Indeed, also Palestine is full of money transfer places too not like there isn't a moneygram or WU branch everywhere. Russians cash out Bitcoins to banks there as well through Anelik, Contact sys ect
He could have been gifted online stuff anyway. Get an account, send him the password.
Bitcoins for these services add nothing other than some extra % costs when using them, and still don't solve the problem of getting physical goods where he is.
Don't you think it would be a bit weird to give the guy a subscription to Anal Magazine? Give him money, even if he can't get it physically, he can still use it online.
Going to research it a bit to make sure he will get the funds and then I am also donating http://www.gofundme.com/3znhjs
I am concerned "gofundme" will not be able to pay out to Palestine , I don't think paypal will work there and I don't even think USPS will deliver there? I know Israel will not allow Palestine to mail out internationally.
I don't understand how someone could discover a security exploit in the first place without breaching the Facebook ToS. Doesn't that give them a getout for anything that's reported to them?
facebook have a well-established program to allow anyone to look for security-related bugs. There are indeed terms and conditions associated with it however, including not interfering with real data/people.
But that doesn't matter since the argument was ridiculous in the first place. If you cannot understand or read rules, that doesn't meant they don't apply to you. Also, he understands English very well.
Language barrier or not as far as i know code is still written the same way.
The least the Facebook guys could have done is ask for details not just reply this is not a bug.
And once you fix a bug reported by someone you don't get to deny their bounty. The best you can do is complain about the methods used to demonstrate it. You're not in a position to fk with hackers we are ultimately the ones helping you.
We have something that is ultimately more valuable on the black market that Facebook are paying us so they should be handing out bonuses not stealing what we earned.
//Meanwhile somewhere in the black market
$parent->postFacebook("I'll be early from work today and have lost my key. Leave the key in the flowers.");
$child->postFacebook("Ok, no problemos.");
}
36 comments
[ 2.9 ms ] story [ 93.5 ms ] threadRegardless of the response you get from a vendor, you don't make use of an exploit against a vulnerable target. That is the line that separates the good guys from the bad. Period.
Facebook has invested heavily in sandbox environments and automated generation of test accounts with test data explicitly for researchers to help demonstrate vulnerabilities. It is even mentioned many times on the page where you go to find the address to report issues to and learn about the bounty program.
1. Report to vendor and do not publicly discuss until they've fixed it
2. Demonstrate the exploit in public to prove that it works
3. Sell on the black market to Mafia/NSA/etc
The guy attempted approach (1), and didn't do a very good job of it, but it seems this was at least in part due to inexperience. Should he have worked more carefully to pursue option (1) first? Sure. But Facebook should have asked him for more information, perhaps pointing him to the guidelines.
So next he went to option (2). Facebook found the bug, and fixed it. Option (2) is infinitely better than option (3). I think Facebook should be extremely grateful to this guy - he even apologised for having to take this option in his post on MZ's wall, after (1) failed. Regardless of his & facebook's mistakes, they still should be thankful for him reporting it.
He was wrong, period, to post to a user's page. 100% wrong, and has no right to ask for the money, because of that. Facebook's response is exactly the correct response - fix the miscommunication, but remain firm in the denial of money to someone who broke clear rules.
You mean create a fake account? Isn't that against TOS?
> "use on established test account"
Where the instructions are in English, even after changing language?
> He was wrong, period, to post to a user's page
Mark Z. is not just any user. FB is publicly traded, yes, but he is basically Facebook. It's not like he 'hacked into' someone's account.
FB allows the creation of test accounts for security research https://www.facebook.com/whitehat/accounts/
If you want responsible disclosure, the guy just did the first step, reporting to your security team privately. Guide him, learn the thing, reward and move on.
If there had been a small bounty on the line and it would have played out the same way, I'm not sure how I would have handled it. I'm all for responsible disclosure and wouldn't have any interest in posting it online or exploiting it. But what is the correct response if money is owed and you've already shared the exploit with the vendor?
Answer: not easily. The financial blocks between that area and the rest of the world are just as real as the geopolitical ones. It will be impressive if they do it, short of a guy meeting him at a checkpoint and throwing an envelope to him.
Bitcoins for these services add nothing other than some extra % costs when using them, and still don't solve the problem of getting physical goods where he is.
I am concerned "gofundme" will not be able to pay out to Palestine , I don't think paypal will work there and I don't even think USPS will deliver there? I know Israel will not allow Palestine to mail out internationally.
https://gofundme.zendesk.com/entries/22590777-Is-my-country-...https://www.paypal-community.com/t5/Getting-started/Palestin...
Palestine is not listed -> https://www.paypal.com/worldwide/
----
Guy lives in a place with 22% unemployment and has not been able to work in two years.
Watch this interview if you have not already http://www.cnn.com/2013/08/19/tech/social-media/zuckerberg-f...
But I don't think gofundme will be able to pay out and therefore everyone's donations will have to be refunded.
But that doesn't matter since the argument was ridiculous in the first place. If you cannot understand or read rules, that doesn't meant they don't apply to you. Also, he understands English very well.
And once you fix a bug reported by someone you don't get to deny their bounty. The best you can do is complain about the methods used to demonstrate it. You're not in a position to fk with hackers we are ultimately the ones helping you.
We have something that is ultimately more valuable on the black market that Facebook are paying us so they should be handing out bonuses not stealing what we earned.
else {
Personally, I wouldn't leave my keys in the flowers because a random person I didn't know posted it on my wall.