[vehementi]

You seem to be making an awful lot of excuses to not just pay someone who brought to light a critical exploit. Do you work on the security team or are you a lawyer (maybe with a panicking accountant looking over your shoulder) trying to find fine print reasons say, "Aha! We can save money to our bottom line in this instance!" ? Do you know how silly it looks for you to make these excuses?

[tptacek]

This is pretty silly. Facebook obviously doesn't care about the dollars here; if anything, I'd imagine they want to be paying more bounties.

[vehementi]

Oh man! If only they could fix the situation!

[tptacek]

You're willfully ignoring what the situation actually is.

[vehementi]

The situation is the guy in good faith tried to give them repro steps and report a critical bug. Technically he fucked up and didn't do it on a white hat account. No harm was intended or done. They are denying him his reward based on a technicality. If that FB employee is not some lawyer trying to cover their asses, then he should want to pay this person and make it happen via some exception. If they truly didn't care about the money and wanted to pay more bounties they would do this. There is no danger of ruining the integrity of the ToS as another replier suggested. In future incidents they are free to not make an exception. In this case, it was all in good faith and the guy didn't know the proper procedure.

[tptacek]

They're not "denying him the reward". He demonstrated the vulnerability on someone's actual account. They can't pay people to fuck with other people's accounts. That's not what bug bounties are about. Only on a message board is this hard to understand.

[ceol]

A very specific message board, it seems like. /r/netsec is having no trouble understanding it.

Which leads me to believe most people commenting are not doing so with an actual understanding of the situation, and are instead viewing this solely as Big Bad Facebook vs innocent hacker.

[vehementi]

"Paying people to fuck with people's accounts" is a pretty dishonest way to frame this.

[nwmcsween]

It's understandable it's just not the right mentality towards someone that hacks for profit and bug bounties generally target this ($500 though is hilarious). Effort and time is supposed to be directly related to payout, if it takes more effort and time for less of a payout then the bug reporting is broken.

[arjie]

I remember a comment by you saying that most exploits are not that valuable. How valuable would this one have been?

[esailija]

It looks like preserving the integrity of their ToS to me. If you believe it is because of $500, you are a total idiot and I will not talk to you.

[hrjet]

If you think good hackers report security bugs for $500, I am tempted to call you a total idiot too (though I will not).

Consider what motivates people more deeply.

[esailija]

That is a vague reply with no apparent relevance to anything I said except the amount $500 which was not to be taken literally. My point was that facebook isn't doing this to save money and believing so is idiotic.

[hrjet]

My point is that people asking for a monetary reward might indirectly be asking for recognition, not the money per se.

Thinking otherwise might be idiotic too, but that's besides the point.