Facebook has refused to pay a bug hunter for discovering a critical security vulnerability, claiming he broke the bounty programme's disclosure laws when posting it directly to Mark Zuckerberg's public wall.
The bug, spotted by independent researcher Khalil Shreateh, allows users to post on other people's public Facebook pages even if they are not friends. Shreateh claims Facebook is refusing to pay him for the find, despite his attempts to alert the social network to the problem using the company's legitimate White Hat disclosure programme.
Facebook researchers have since issued a statement on the Y Combinator forum, arguing that while the research is valid, the company cannot pay Shreateh for his alert as he actively exploited the vulnerability when trying to prove its existence. "The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat," read the Y Combinator Facebook forum post.
"We allow researchers to create test accounts here: https://www.facebook.com/whitehat/accounts to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent."
However Shreateh has questioned this response, arguing that he was initially told his find was not a bug, leaving him no choice but to prove that it is by posting it on Zuckerberg's wall. Facebook has again disputed this, claiming Shreateh's initial post did not have sufficient detail and that Facebook had already fixed the bug.
"Unfortunately, all he submitted was a link to the post he'd already made (on a real account whose consent he did not have – violating our TOS and responsible disclosure policy)," read the post. "To be clear, we fixed this bug on Thursday."
Since the the news broke the security community has been divided about which party is in the right.
Some, such as PBJ Tech Solutions owner Jake Zimmerman, have sided with Shreateh, agreeing that Facebook forced his hand. "They told him flat out when he reported it 'this is not a bug' [and] they didn't ask for more information or anything. He posts on Zuckerberg's page, then it becomes a bug but he violated TOS. That's a no win right there," Zimmerman wrote in the comments section of Shreateh's post.
Others, including Andy Huang, graduate research assistant at Simon Fraser University in Canada, agreed with Facebook, arguing that there is never a reason to break disclosure policy. "Learn [the] proper procedure. Disclose the bug to Facebook, then you get paid. Wave your hands in the air saying there's a bug, but not actually disclose the bug, then you don't get paid. Pretty simple," he wrote.
Facebook is one of many companies to come to blows with the wider security research community. Google suffered a public backlash earlier this month after it attacked independent security researcher Elliott Kember for releasing research criticising Chrome's password storage protocols.
Eleven 'normal' outer moons, and one described as 'oddball' found circling Jupiter
Scientific discovery has found a quadrillion tonnes of diamonds in the earth's mantle
Mobile payment app makes users' details public by default
2,400 signatures gathered against the development and production of lethal robots