- You violated Facebook's terms of service by exploiting the bug on Sarah's profile. You shouldn't have done that.

- I understand that English is not your first language and of course that's perfectly fine, people usually don't expect perfect English on the internet. However you have written the report quite lazily and haven't taken the time to clearly explain the steps. For example you have said "mark profile" instead of "Mark Zuckerberg's profile". That's just ambiguous language and confuses the reader. They probably receive a lot of wrong reports every day so if you make mistakes like that you are less likely to be taken seriously.

- After they said it is not a bug, it is clear that they have misunderstood you because you failed to communicate clearly. You could write a more detailed report and tell them that they have misunderstood you. If not you could report in your first language and let them ask one of their Arabic-speaking employees.

- You violated the terms again by exploiting the bug on Mark's profile. It would be bad if it was any other Facebook user too. But you went straight for Mark which will obviously generate a lot of buzz and negative publicity and I'm sure he doesn't appreciate someone randomly posting something on his wall.

- Just because they fail to receive your bug report does not make it ok for you to go ahead and exploit it.

By exploiting the bug you had found twice you lose your whitehat status and you no longer deserve the bounty. Whitehat does not mean "white hat unless you fail to take my report then I will have to exploit your CEO's profile for the world to see".

If Facebook does pay you for the bug, it is just setting a bad example and will be encouraging similar behaviour.

After that, every other person who finds a bug too will do something funny to Mark's profile for attention.

The onus is on the organization, not the bug reporter, to vet the information. From what I see, there was more than enough in the report to conclude there was a problem, and follow up.

If Facebook security fails in coding the application, in QR, and when a user files a bug report, it is awfully hard to place the blame with the bug reporter.

There's nothing obfuscated about this. It's very straightforward. Yes, he found a security vulnerability. That doesn't earn you points "just cause." You still need to report it with responsible disclosure and not exploit it for the lulz and attention.

He could have done things differently - especially, he could have asked to talk to a Facebook employee who understands Arabic. Or tried to put more effort into a second security report.

Frankly, posting on Mark Zuckerberg's wall about this is childish and just attention-grabbing. It's not a responsible disclosure.

As such, they should be a bit more understanding when someone that speaks Esperanto submits a bug without doing so in a way that perfectly adheres to their terms of service. They should step back and take a subjective view instead of trying to make it black and white. Was he acting maliciously? Did he knowingly violate the terms or was it out of ignorance? Was he trying to hurt Facebook by violating the terms or help them?

I strongly disagree.

Despite not following the process by the book, I think it is clear that he attempted to act in good faith and had trouble with language/cultural issues. It's not like he posted porn or something on Zuckerberg's profile.

I think that going out of their way to stiff this guy out of a few bucks makes it all the more likely that any future vulnerabilities that are discovered by foreigners will just be sold to spammers/hackers. And this makes the internet a worse place.

Facebook saved a few bucks but just lost a big PR war here that Facebook will reward you for disclosing vulnerabilities.

Facebook should have paid the guy and used this event as a reminder about the best practices and procedures to follow.

You just have to be professional and disclose in-detail with steps to reproduce.

Though the Facebook engineer conceivably could have offered to give the guy's email to a native speaker or tried to get more detail from him, I don't blame the initial Facebook engineer for dismissing it on the spot given that he probably had a few dozen other messages like that on the same day to review and deal with.

But it's all about perception here. The end result of this is a big PR loss for Facebook if they want to protect their users and get people to submit bug reports without having to fear that they'll lose out on money.

The next time an inexperienced foreigner discovers an exploit they'll research this topic and see that Facebook answered this guy with a "thanks for working for us for free" message. So what will happen is that when some spammer comes around with a few thousand dollars in cash vs the uncertainty of dealing with Facebook, odds are the exploit will go to him rather than Facebook. They won't read about the hundreds of times that Facebook did pay up, but the couple of times they didn't.

So this is just a big loss for the internet because Facebook made it that much more likely that people will sell their exploits to all kinds of nefarious people.

The bounty for Facebook is like a chocolate bar. They don't care about that.

And the message is not "thanks for working for us for free".

The message is "thanks...but next time remember not to exploit the bug you found".

The PR damage that he has caused for Facebook is probably many times greater than the bounty he was going to be paid.

He violated their terms of service and if Facebook just ignores the fact that he exploited it on two different users then the future reporters will expect that too.

I understand that English is not your first language (no I don't; I'll deride your command of it at every turn, going forward) and of course that's perfectly fine, people usually don't expect perfect English on the internet. However you have written the report quite lazily and haven't taken the time to clearly explain the steps (every whitehat reporter CAN NOT be expected to understand how or what to adequately include in a PoC; it is _Facebook_ who is shown to be lazy in their responses, failing to point the reporter to the rules, appropriate [localized] steps, and ANYTHING of value to help the reporter). For example you have said "mark profile" instead of "Mark Zuckerberg's profile" (lol, idiot). That's just ambiguous language (see, I really don't understand nor can forgive you for being an English speaker) and confuses the reader. They probably receive a lot of wrong reports every day so if you make mistakes like that you are less likely to be taken seriously (unlike the mistakes made by Facebook; woe is them who can't be arsed to not even have boilerplate guidance and just shrug off reporters; cool story bro).

[...] you failed to communicate clearly (idiot).

Maybe Facebook sucks and can't be bothered with helping the reporter.

That does not make it ok for the reporter to go ahead and exploit it.

And for what it's worth, I'm not a English speaker either so I can understand and forgive someone for not being a English speaker too.

His report is very short and lazily written. It's not about the level of language skills. It's about the time and effort he put in on disclosing the vulnerability.

Using simple language he could have written a step by step guide explaining the problem.

The point is, regardless of Facebook's behavior, it is not ok for him to go ahead and exploit the bug on two different users one of them being the CEO of the company. And he did not put in enough effort to make them understand what he's talking about. He could have given it another shot with more details.

Facebook is not trying to "save" money on the bounty program. The budget is already allocated and no one is sitting there crying over the couple of thousands of dollars and trying to stop people from getting it.

If anything, he has caused damage to Facebook's image and reputation due to the negative publicity, greater than the amount he was going to be paid.

So yes, if you post on Mark Zuckerberg's profile and create a news shit-storm of negative publicity against Facebook they are not going to thank you and pay you money.

His hack was lame; no one was hurt. Not even Facebook; nine 9s of their users don't won't know or care about such incidents. There's no telling that, had he used a whitehat account to repro the PoC, would they have paid any more attention; assuming the PoC can be performed on a whitehat account. It's not a stretch to think that a PoC against a real user should generate MORE attention.

The point is, Facebook failed to educate the reporter. They can improve their process. As you say, the bounty is really immaterial; I don't even mention it. However, the system is not there to make Facebook's life easier; if they care to only handle and reward pristine reports, they have another thing coming.

Whoever made the decision not to pay this guy should check with Mark Zuckerberg. If Mark is still adhering to "the hacker way" he should embrace such clever ways of reporting exploits and invite any whitehat to test them on his or better, {the idiot who decided not to pay}'s profile.

Hacking and finding exploits requires thinking outside the box, by imposing rules and "terms of service" on them, Facebook might be defeating the whole purpose of the whitehat program.

Any exploit violates Facebook's terms anyways. By not paying, Facebook is telling the whitehat community "go ahead, do our QA for us, we will only pay you if we feel like it"

Whitehat does not mean "I will responsibly disclose the vulnerability for as long as there's good money and rewards otherwise I will exploit it or sell it to someone else".

Facebook or any other company with bounty programs are not competing against the black market and trying to out-bid the bad guys by attracting the black hat hackers to wear a white hat and disclose the bug to Facebook for some money.

"we will only pay you if we feel like it"

Facebook isn't saying that. They are saying "we can not pay you because you violated our terms of service" which is truly an under-statement. It should be like "we can not pay you because you exploited the bug on our CEO's profile and another one of our users and have created negative PR and damaged our reputation"

But even if they did say "we will only pay you if we feel like it", as far as whitehats are concerned that should not change their incentives and behavior because, again, whitehats, by definition are not those who disclose the bugs for money and rewards.

If you are a grey/black hat only wearing the white hat when the money is good enough then Facebook is not interested in dealing with you in the first place.

Facebook should not expect from whitehats the same standards of bug reporting of their QA department. Most hackers are self-taught, one of the reason they are able to think outside the box and find exploits.

The whitehat program's priority should be to FIND EXPLOITS so they can be patched. Not having every single hacker in the world expend hours reading TOS and instructions on how to properly report such exploit.

Here is a thought: pay him less for not following procedures, but pay him anyways. Or better: pay a bonus to reports that follow proper procedures.

Right. He could also make a detailed flow diagram, or maybe fly to US and demonstrate in loco how it works. Give me a break...

If I send a bug report and some lazy engineer replies back in laconic fashion with "It's not a bug" I would also have exploited the CEO profile. They should be thankful he didn't simply sold the exploit, it had the potential to be huge.

No corporation will come forward and say "thank you for exploiting two of our users including our CEO and generating lots of negative PR for us. Here have this money for being a good boy and not selling the bug in the black market".

That's not how whitehat works.

His emails read like a job application with some vague hints at an exploit that may or may not be real. I'd say he expected a job offer or at least an interview as compensation for eventually revealing the bug. In his perception, going ahead and posting on Zuckerberg's timeline was just another step toward that goal.

Breaking the rules is a somewhat glorified thing in hacker circles, and this may have contributed to his attitude. Of course, what they don't tell you when they say "break all the rules" is that only works out if you actually win in the end. And winning is an event often contingent on getting someone important to like you.

For what it's worth, all of that probably wasn't done in bad faith, but it wasn't a constructive process either. It's something someone very inexperienced would do if they were desperate for a job in the USA. It's understandable behavior, and if I was on the relevant FB team I'd at least given him something to recognize his efforts. If in doubt, do the generous thing (and be it only for publicity's sake).

I'm no fan of Facebook but as a corporation they are doing the right thing.

> - I understand that English is not your first language and of course that's perfectly fine, people usually don't expect perfect English on the internet. However you have written the report quite lazily and haven't taken the time to clearly explain the steps. For example you have said "mark profile" instead of "Mark Zuckerberg's profile". That's just ambiguous language and confuses the reader. They probably receive a lot of wrong reports every day so if you make mistakes like that you are less likely to be taken seriously.

The part where Khalil writes "mark profile" is the way it is said in Arabic because Arabic has no capitalization. There is no "apostrophe + s" in Arabic either.

The violation of TOS is a obviously a violation, but the language barrier thing again. The TOS is not in Arabic.

Finally:

> - Just because they fail to receive your bug report does not make it ok for you to go ahead and exploit it.

The word "exploit" is not the right word here. He didn't exploit the bug, he demonstrated it, albeit in a poor way but it wasn't an exploitation.

"Oh, if we don't understand your bug report, just post it on our founder/CEO's Facebook wall and it'll shoot right up to the top on our priority list."

I know everyone hates big companies but come on...the argument for Khalil to not be paid is very reasonable. I respect him for being able to find the bug but it's not a conspiracy. He could have sent back an email trying to be more clear, or ask for an Arabic-speaking employee.

Plus, Facebook is not a stingy company when it comes to paying security researchers. Just look at their Hall of Fame. It includes HN's 'homakov (Egor Homakov), who wrote an excellent blog post about finding a vulnerability in Facebook and his primary language isn't English. But he still found a way to report the vulnerability through responsible disclosure and he is very happy with the bounty he received.

Everyone thinks it's so cool and "sticking it to Facebook" and that Facebook is just some big bad company who doesn't care about the small folk. It's not like that at all, change your perspective.

    "This is not a bug" (essentially, "go away")

    "Thanks for the report. It seems that English may not be your first language, so to be very clear, in order to check this issue, we will need these pieces of information (A, B, C). Please feel free to reply in your language, and we will have a native speaker help translate."

But, your choice of sentence structure - with clauses and formal social graces - would be hugely more difficult for a non-native speaker to parse correctly.

If the goal is to communicate with a non-native speaker, Facebook's message is appropriate for its clarity.

Bear in mind also that they probably do want incorrect bug reports to "go away" - unless Facebook apply infinite resources to this, some false negative errors are inevitable.

But you are mixing two different issues.

Facebook employee saying "go away" does not automatically result in a warrant for you to go ahead and exploit the bug you found.

If you do that, you no longer meet the definition of a whitehat researcher.

That kind of person is not the type that Facebook wants to reward because Facebook is not competing against the black market prices.

It is simply rewarding those honest reporters who would report the bug even if they were 100% sure that Facebook is not going to pay anything and would not exploit it or sell it even if the Facebook employee said "screw you" or if the black market bids were 6 digit figures.

What are the chances that this security researcher ever reports another bug to Facebook, given how he was treated? Selling future exploits to spammers wouldn't be the ethical thing to do, but if I know "Emrakul" in Facebook Security is just going to tell me to F-off, I start to justify it.....

Well he tried twice, and they told him it wasn't a bug both times. After that, what's wrong with selling "not an exploit" to the highest bidder?

Not paying someone over minor violations that they only did to get your attention to the fact that something was definitely important to you is not good practice when running a bounty for bugs.

Poor Zuck, literally poor poor Zuck. #Sarcasm

Prediction: People will start finding holes, shorting the stock, exploiting the holes, then going public with the exploit and making their money once the stock dips.

Done correctly, that probably pays pretty damn well, yes?

For instance, to make even $10,000 on a 5% drop in Facebook stock, you would need to sell short $200,000 in Facebook stock and would need to have $100,000 in cash deposited with a broker (initial margin). If the stock goes up by even a penny, you would need additional margin to cover that. A young hacker with no money cannot make any by shorting stocks.

Next time a hacker will just sell the exploit to somebody else, cash upfront, and wont bother reporting.

There was no bait and switch - it's very explicitly stated that he should not be exploiting the vulnerability, and that it needs to be clearly explained.

I respect that he found a vulnerability, but he still needs to adhere to a website's terms and conditions. If the security team he reports a bug to doesn't "get it" the first time he should try again, not publicize it on Hacker News and attract negative publicity by putting it on Mark Zuckerberg's wall.

"Next time a hacker will just sell the exploit to somebody else, cash upfront, and wont bother reporting."

With:

"Next time a hacker will make sure they follow the Terms of Service when reporting"

For a much more likely scenario.

It's not "disgusting"...you just need to be patient.

Now I am a Facebook advertiser with a $30k monthly budget...I thought surely then I'd get some responses from them (for example, when I was unable to make changes to my ad campaign, including daily budget, for WEEKS, due to a javascript bug), but still left completely in the dark.

They should stop finding excuses and start to focus their efforts on making sure that people with no communication skills can report any bug.

Suggestion: Facebook could create a new "Facebook_security" system, which can be used to report bugs. The system would have the same production version, but the terms and conditions would be flexible. It would be used only for security purposes, and if someone finds a bug, they could record the exploit and send to the facebook team. By doing this, they would make sure that any type of bug could be reported.

I was little irritated your English was criticized heavily! And it's more irritating when a security team misses to understand a security issue when I was able to understand

Name: Ḱhalil E-Mail: khal@hotmail.com Type: privacy Scope: www Description: dear facebook team .

my name is khalil shreateh. i finished school with B.A degree in Infromation Systems .

i would like to report a bug in your main site (www.facebook.com) which i discovered it .

repro: the bug allow facebook users to share links to other facebook users , i tested it on sarah.goodin wall and i got success post link - > https://www.facebook.com/10151857333098885 -----End Original Message to Facebook----- "

After two messages back and forth, he says "i have no choice other than report this to mark himself". He did indeed have many other choices but he jumped straight to posting on Mark's profile which he knew will create a global shit-storm.

It's clear he wasn't very reluctant to posting on Mark's profile anyway. He was just waiting for them to ignore him so he can drop his "i have no other choice" line and go ahead.