Hacker News new | ask | show | jobs
by meowface 3840 days ago
Honestly, I think he did go too far downloading the S3 data, but nothing in their policy stated or implied that was against the rules. He did not violate their written guidelines. And so, Facebook should have paid him (and then changed their policy), even if begrudgingly.
1 comments
voronoff 3840 days ago
Here is what's happening right now:

FB: He's an experienced bug bounty hunter and should know where reasonable borders are.

All the experienced security guys itt: He's an experienced bug bounty hunter and should know where reasonable borders are or at least not pivot/escalate without asking. Also never dump and hold data.

Everyone else: What he did isn't technically against the rules FB wrote, so they are screwing him, despite it also being written that they have sole discretion.

link
sangnoir 3840 days ago
> All the experienced security guys itt...

Ah, so those who disagree are inexperienced? No true scottsman indeed!

link
meowface 3840 days ago
How is that a "no true scotsman"? Most people in this thread commenting have not indicated they work in the infosec industry.

(For the record, I do, though I'm not sure I'd flatter myself by saying I'm "experienced" exactly.)

link
sangnoir 3840 days ago
The problems I have with your absolute statement:

* You are stating that all (not some) experienced security folks are agreeing unanimously. The implication is that those show disagree are not "experienced security guys" (as you called them: "everyone else") - they are the ones who aren't true scotsman

* you assume those who don't explicitly indicate that they work in infosec industry do not work in the infosec industry

* also, you do you need to be "experienced" in the infosec industry to be correct / wrong.

link
meowface 3840 days ago
I wasn't the one who made the comment you're referring to. I'm just saying there is no evidence of a "no true Scotsman" here, as far as I can tell.
link
sangnoir 3840 days ago
apologies - didn't notice you weren't OP. IMO, the "no true Scotsman" is implied (might be unintentional)
link
meowface 3840 days ago
I'm a security guy and I think what he did towards the end is dubious and strange, but again, he was following their guidelines as written.
link