26 comments

[ 2.7 ms ] story [ 27.9 ms ] thread
Sad. We should not encourage people who violate the sole universal rule of bug bounty programs: don't mess with other users. Period.

I understand it's frustrating when a bug report goes ignored or dismissed (still waiting on PayPal to confirm a couple bugs I reported last June or July (admittedly I haven't tried hard)), but that's part of the process. You work with them to refine the message until they understand clearly what the problem is and get it resolved. You don't mess with anyone else's account, under any circumstances.

This is just not acceptable, and it's sad to see some of the security community supporting it.

The guy was obviously acting in good faith. Sure, he may not have known the right way to go about doing what he was demonstrating, but that was ignorance, not malice.
I think this discussion is going to be a regurgitation of everything said in the original one. So here goes my part:

Facebook's rules were only available in english - despite having a way to switch most of facebook to arabic, the guy is obviously not a strong english speaker.

Rules are only guidelines for people who can't (or aren't allowed to) exercise good judgment. Rules are meant to be black and white, but real life is rarely so. In this case absolutely no harm was done, or even suggested, by the guy's actions. Facebook's decision to apply judgment rather than zero-tolerance is commendable.

EDIT: Facebook is still doing the brainless zero-tolerance thing. Shame on them. I should have read the article rather than assume the best.

PS the best company I ever worked for had as the first line of their employee handbook: "Don't do anything stupid just because it is written down in this book."

> Facebook's decision to apply judgment rather than zero-tolerance is commendable.

Re-read the article. They didn't.

What do you mean "apply judgment rather than zero-tolerance"? They dismissed his initial report, then applied their zero-tolerance policy with regards to paying rewards for bugs that have been tested on other users.
TFA says some hackers are raising money for him, doesn't say Facebook is paying a reward, so not clear what Facebook decision is commendable.
Encouraging ignorance is even worse than encouraging malice :P
This isn't encouraging ignorance, it's encouraging good faith, (which is a large part of the entire purpose behind security bounties) and has undoubtedly been an learning experience for the gentleman involved.
Yes, I heard he is going to black market next. That's a good lesson I think.

Nowhere I saw good faith, just greed for money. He was even asking for money in the initial bug "reports". http://4.bp.blogspot.com/-4LbrTjyKBXc/Ug5sokeeR0I/AAAAAAAAAJ...

Don't confuse altruism with good faith. He was obviously not being altruistic - he wanted to be compensated for the vulnerability he had found - but he was not being malicious in his TOS-violating behaviors. There was no intent to cause damage, to exploit the bug for personal gain, or to otherwise be a bad actor. That is what "acting in good faith" means; the things he did were benign and intended to bring the issue to Facebook's attention. The fact that he wanted to be compensated for his discovery doesn't diminish that.
Don't agree. If you attempt to communicate a security bug and get ignored or told "it's not a bug", then you can do pretty much anything you want "within reason". Posting a harmless block of text on Mark's wall isn't the end of the world. He could have posted something extremely offensive, then I would not be on his side. If someone told me there was a way to exploit my LinkedIn account, I said "no way", then she edited my LinkedIn profile to add "I really love fluffy bunnies" to my current job title - I'd correct my job title, then say "Okay. Good job. Tell me how you did it". In the same way I think it would be ridiculous to get a speeding ticket for going 66 MPH when the limit is 65mph, this guy should get the reward despite this minor technicality. He tried doing it the "right" way, it didn't work. Yes, I know he wasn't super clear & he posted on someone's wall but FB could have at least tried to clear it up with him. Imagine if hospitals worked that way, someone shows up clearly in distress but doesn't speak english. Do you just say, "Well. I don't know what you're saying, so get out". You at least try to figure out what's going on... From what I've read, FB didn't even do that... so messaging on Mark's wall is just a small slap on the wrist so FB will make more of an effort next time. At the very minimum, FB could update their TOS to highlight the important sections for this situation, give the guy the reward, tell security-staff to be more supportive in the future, then announce that they will refuse to pay out on anyone copying this guy's actions going forward.
He posted on a real person's wall with the initial bug report. It says right on the /whitehat page not to do that, and he mentioned /whitehat in his bug report, so he should have known.
And yet, a police officer would be fully justified in ticketing you for going 1 mph above the speed limit. That's the point of a speed limit - removing ambiguity and limiting speed.

You only disagree with it because it's not well-enforced. Seeing other people get away with it sets a precedent for you to feel like it shouldn't be a rule. And the same would happen to Facebook if they paid him - eventually, the whitehat program's "technicalities" would become as pointless to enforce as a police officer ticketing someone for going "1 mph" over the speed limit. "Oh but it doesn't matter! It's just 1 mph!" If a speed limit designed to make a clear cut line doesn't work for you, how do you define rules? There's no objectivity to it at that point. It becomes a slippery slope.

Many people feel that small "technicalities" don't constitute real, ethical laws. This is wrong and an error in thinking. Every rule and every law is a restriction by technicality. Technically, you can go 65 mph, but not 66 mph. That's the line that delineates legality. It doesn't matter if you agree with it, it doesn't matter if you see other people do it, that's what it is.

But it is a rule, just like Facebook's Whitehat TOS. Agree with it or disagree with it, they don't care. You either follow all the rules, or you don't participate. That's the bottomline. They don't owe anyone money, they offer a bounty if you explicitly follow the rules and have proper discretion. It's really not complicated.

>Many people feel that small "technicalities" don't constitute real, ethical laws. This is wrong and an error in thinking. Every rule and every law is a restriction by technicality. Technically, you can go 65 mph, but not 66 mph. That's the line that delineates legality. It doesn't matter if you agree with it, it doesn't matter if you see other people do it, that's what it is.

I don't agree. We're not robots, we're people. There is room for flexibility. To quote Captain Picard from Startrek TNG...

"Jean-Luc Picard: I don't know how to communicate this, or even if it is possible, but the question of justice has concerned me greatly of late and I say to any creature who may be listening, there can be no justice so long as laws are absolute. Even life itself is an exercise in exceptions."

Not really my place here, daeken, but shouldn't you try harder? If those bugs are still live then they constitute a security threat. Aside from you not getting a reward for it, it's probably not good they're in the wild, right?
They're insanely minor and have no real impact on end users, just could pose a minor inconvenience. They're certainly a real security issue, just not anything serious.
Agreed. I don't think people appreciate that running a bounty program is not an easy task. The vast majority of the reports you get are invalid, and you have to actively search for the signal in the noise. Mistakes happen, but the correct response is for the reporter to provide more information and a better demonstration. Breaking the rules of the program, however, should never be inbounds and I certainly don't think it should be rewarded.
Misleading title. He did not hack his account. He bypassed privacy/security restrictions and was able to post on his wall.
Another thing that's misleading, Facebook isn't the one paying out:

> Now, Marc Maiffret, chief technology officer of cybersecurity firm BeyondTrust, is trying to mobilize fellow hackers to raise a $10,000 reward for Shreateh after Facebook refused to compensate him.

Even worse confusion is "reward" and I almost had a stroke before I realized it's not facebook. Facebook paying the reward would have been ridiculous since then everyone would know their whitehat tos doesn't mean shit.
And here I thought they might be doing something right.
That's pretty much the textbook definition of a hack.
People are raising money to pay someone to fix bugs on Facebook. This is how I see it, and it's really really weird.
Shame on Facebook, other pen-testers are now going above and beyond and raising money for this person. For a person in the 3rd world, $10,000 is a LOT of money, so the guy must be feeling really happy!

That's about 7 months of salary here in Bolivia for a software developer. I imagine it's even less where he's from.

Those pentesters are wrong for raising money for him. He didn't follow the rules, that's what he is being rewarded for. It's setting a bad precedent.
I do not believe we should always blindly follow the rules.

His intentions were good and it solved a serious problem, is this really something you do not want to reward?

While it has caused some bad PR for Facebook, I still believe that mainly happened because of how they reacted and a language barrier.

If did not speak english at all but found a serious bug like this, should he just not report it or should he use google translate?