[reginaldo]

Hi HN, I'm the one who found the bug. My writeup is at http://www.ubercomp.com/posts/2014-01-16_facebook_remote_cod.... I'd be glad to answer any questions. I won't disclose the amount for now because I want to know what people think this would be worth, but eventually it will be disclosed. If you run an OpenID-enabled server now it's a great time to make sure your implementation is patched.

[citricsquid]

Facebook disclosed it in the comments (about a minute after you made this comment).

[grinich]

https://www.facebook.com/BugBounty/posts/778897822124446?com...

[loceng]

Ha. Clearly Facebook doesn't care about privacy.. I wonder if they even asked him first.

[corin_]

The way they disclosed it:

> Reginaldo agreed we could share the payout, it was $33,500 for this issue.

[loceng]

Apologies for making the assumption that based on how OP stated it, assumed that he had full control over disclosure. I'd still prefer to hear from OP, as Facebook can say what they want or could be mistaken on the finer details of what was or wasn't agreed upon.

[loceng]

Did Facebook ask you if they could disclose it? Because they did disclose it.