[tptacek]

They're not "denying him the reward". He demonstrated the vulnerability on someone's actual account. They can't pay people to fuck with other people's accounts. That's not what bug bounties are about. Only on a message board is this hard to understand.

[ceol]

A very specific message board, it seems like. /r/netsec is having no trouble understanding it.

Which leads me to believe most people commenting are not doing so with an actual understanding of the situation, and are instead viewing this solely as Big Bad Facebook vs innocent hacker.

[vehementi]

"Paying people to fuck with people's accounts" is a pretty dishonest way to frame this.

[tptacek]

No, you just refuse to think about the larger picture. I went out of my way to say that this person wasn't deliberately harming anyone.

You're acting as if there's no precedent implicated in Facebook learning of someone violating both their normal ToS and the terms of their bug bounty program by compromising someone else's account, and then paying them a reward.

You're wrong about that.

[chris_wot]

I went out of my way to say that this person wasn't deliberately harming anyone.

Saying someone fucked with another person's account implies otherwise.

[prab97]

He didn't f* up Zuck's account. Just making a wall post on some account doesn't f* that account in any way.

[webvictim]

It's still a violation of privacy though, and these are viewed as serious by the ToS.

[nwmcsween]

It's understandable it's just not the right mentality towards someone that hacks for profit and bug bounties generally target this ($500 though is hilarious). Effort and time is supposed to be directly related to payout, if it takes more effort and time for less of a payout then the bug reporting is broken.