Hacker News new | past | comments | ask | show | jobs | submit login

I want to step in here - Facebook is in no-way trying to save a few bucks. I've reported a few bugs to Facebook and they go out of their way to pay you greater sums depending on the severity.

You just have to be professional and disclose in-detail with steps to reproduce.




Nobody would disagree with you that the disclosure message was poorly written.

Though the Facebook engineer conceivably could have offered to give the guy's email to a native speaker or tried to get more detail from him, I don't blame the initial Facebook engineer for dismissing it on the spot given that he probably had a few dozen other messages like that on the same day to review and deal with.

But it's all about perception here. The end result of this is a big PR loss for Facebook if they want to protect their users and get people to submit bug reports without having to fear that they'll lose out on money.

The next time an inexperienced foreigner discovers an exploit they'll research this topic and see that Facebook answered this guy with a "thanks for working for us for free" message. So what will happen is that when some spammer comes around with a few thousand dollars in cash vs the uncertainty of dealing with Facebook, odds are the exploit will go to him rather than Facebook. They won't read about the hundreds of times that Facebook did pay up, but the couple of times they didn't.

So this is just a big loss for the internet because Facebook made it that much more likely that people will sell their exploits to all kinds of nefarious people.


You are completely ignoring the fact that the reporter initially created massive negative PR for Facebook by posting on Mark's profile.

The bounty for Facebook is like a chocolate bar. They don't care about that.

And the message is not "thanks for working for us for free".

The message is "thanks...but next time remember not to exploit the bug you found".

The PR damage that he has caused for Facebook is probably many times greater than the bounty he was going to be paid.

He violated their terms of service and if Facebook just ignores the fact that he exploited it on two different users then the future reporters will expect that too.


Who said that only professionals can find vulnerabilities? The guy is clearly inexperienced, but catching the bug is no lesser favor to Facebook. They are being dicks. And they deserve the bad press.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: