| Not sure what you mean by "again". > They just can't pay him for having demonstrated a vulnerability by hacking someone's account. I don't see why that is. They already provide the following caveat: > When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.[1] So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either). I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right? [1] https://www.facebook.com/whitehat |