[pampa]

Denying bounty to a hacker on some bullshit "Terms of Service" violation excuse defeats the whole purpose of the bounty program.

Next time a hacker will just sell the exploit to somebody else, cash upfront, and wont bother reporting.

[dylangs1030]

It's not "bullshit Terms of Service" - Facebook clearly lays out the terms of the Whitehat program.

There was no bait and switch - it's very explicitly stated that he should not be exploiting the vulnerability, and that it needs to be clearly explained.

I respect that he found a vulnerability, but he still needs to adhere to a website's terms and conditions. If the security team he reports a bug to doesn't "get it" the first time he should try again, not publicize it on Hacker News and attract negative publicity by putting it on Mark Zuckerberg's wall.

[pampa]

It's not "bullshit Terms of Service", it's "bullshit excuse". There is a difference.

[dylangs1030]

You originally said bullshit TOS, which is why I quoted that. It's not a bullshit excuse for all the reasons I already mentioned.

[mike-cardwell]

Replace:

"Next time a hacker will just sell the exploit to somebody else, cash upfront, and wont bother reporting."

With:

"Next time a hacker will make sure they follow the Terms of Service when reporting"

For a much more likely scenario.