[lhl]

"Using Zucks account doesn't make it more convincing from a tech perspective." - In this case, that's obviously false. The guy submitted the bug twice and the final reply was "This is not a bug." After posting to Zuckerberg's account it was subsequently fixed.

I'm sure the FB security team triages a lot of bug reports, and a few get away - hopefully they'll be better about trying to get more info (boiler plate requesting steps to replicate or a video), but beyond that no harm no foul. I can also see that they don't want to encourage researchers messing with real user data. However, if they paid him out and told him in the future, that he should provide more information and not use real accounts (or not get paid out, etc), that'd have the same effect (you know, since it already happened) w/o the bad will generated.

Instead, they didn't pay him, locked his account, and now we're reading that blog post, not only encouraging him and the people like him in the future to not submit these bugs in the future (certainly serious enough that it'd be worth discovering vs being in a 0-day marketplace), but generating way more visibility for no good reason. It's just not smart.