[sgift]

I could perfectly understand it and English isn't my first language either. This is just Facebook weaseling themselves out of their promise by using bogus arguments. Besides that: If you do not understand a bug report for a security problem you ask for a clarification. That's what professionals do.

[borplk]

Facebook couldn't care less about the amount of bounty paid.

That amount for Facebook is practically like a chocolate bar.

They do not want to pay him because he exploited the bug he found two different times, once on the CEO's profile which has resulted in a very significant and negative PR for Facebook.

Facebook will not say "Thanks for creating shitty PR for our brand and damaging our reputation, here have this money"

[sgift]

Sure, but the PR will be far more shitty if the reaction of the next hacker is "Sorry, I could have told you about this bug, but I have heard that you don't honor your bounty agreements, so I have sold it to others - Have fun!"

[borplk]

Facebook is not worried about that at all.

Whitehat bounty program, as the name implies, is for whitehat hackers.

And whitehat does not mean "Will not sell in black market as long as there's good enough bounty money to be collected".

Facebook is not competing with or outbidding black market rates.

If someone is the kind of hacker who would just go and sell the bug in the black market, Facebook would not want to pay them in the first place.

The purpose of bounty programs is NOT to "encourage black hat hackers to sell their bugs to us instead of black market", but rather it is "encourage white hat hackers to challenge our application instead of millions of other applications out there".