[tptacek]

Whoah. Whoah. Whoah. You're handwaving around the real issue. It's not legal to find vulnerabilities by testing other people's running web applications without permission, and it never has been.

People obviously do it, all the time, against sites that haven't officially given permission (as Google and Facebook have), and most of the time they get away with it, but they are rolling the legal dice every time they do. People have been getting in trouble for doing this for years.

The people selling vulnerabilities are generally running the software themselves. Huge difference.

[lawnchair_larry]

My post, and his reply, were only discussing the disclosure of vulnerability information. I didn't say it was legal to attack a live system that you don't own. I see how you are making that logical leap in the case of facebook, but it isn't necessarily a given. There are ways one can legally become aware of vulnerabilities in facebook, and share that information.