Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not all bugs are created equal, and Facebook doesn’t like people messing with its users–or its executives.
That researcher, Khalil Shreateh, discovered a bug in the Facebook platform that enabled him–or any other user–to post comments on the walls of other users who aren’t their friends. That shouldn’t be possible under normal circumstances, so Shreateh reported the problem to Facebook through its bug bounty program, hoping to earn a reward from the company. Instead, the company told him that the issue wasn’t a vulnerability. So Shreateh went a step further and demonstrated the technique by posting a message to the wall of Facebook founder Mark Zuckerberg.
That got Facebook’s attention. But it didn’t get him a reward. Instead, Facebook temporarily disabled his account and told him he had violated the company’s terms of service, so he wasn’t eligible for a bug bounty. As it turns out, Shreateh is going to get a lot more than the $500 or so he would’ve gotten from Facebook.
On Aug. 19, after details of the incident became public, Marc Maiffret, a well-known security researcher and CTO of BeyondTrust, started a crowdfunding campaign to get Shreateh a reward for his work. As of Aug. 23, that campaign has raised more than $12,000 and Maiffret is in the process of transferring the funds to the researcher.
“I hope this has raised awareness of the importance of independent researchers. I equally hope it has reminded other researchers that while working with technology companies can sometimes be frustrating, we can never forget the greater goal; to help the Internet community at large, just as that community has helped donate over ten thousand dollars to Khalil within a day,” Maiffret said in a statement on the fund-raising site.
The episode with Facebook and Shreateh isn’t the first time that a researcher and a company have been at odds over the value of a bug and whether it qualifies for a reward. In May, PayPal officials butted heads with a teenage German security researcher who reported a cross-site scripting flaw to the company. PayPal acknowledged the flaw, but refused to pay a reward to 17-year-old Robert Kugler, saying that he was too young to qualify, because participants are required to have a valid PayPal account, and the minimum age for that is 18. PayPal officials also told Kugler that another researcher had reported the same bug before Kugler did.
Image from Flickr photos of epsos.de.