Palestinian security researcher Khalil Shreateh is set to receive more than $10,000 in donations after Facebook refused to pay him for significant security flaw he disclosed in a way that breached its terms of service.
The security researcher yesterday attempted initially to somewhat quietly inform Facebook of the flaw which allowed him to post updates to any users' profile Wall.
The disclosure worsened after a Facebook security engineer told Shreateh his vulnerability -- which lacked detail -- "was not a bug".
In a bid to prove the vulnerability the unemployed software engineer from the West Bank then posted a status update to the profile Walls of founder Mark Zuckerberg and an associate.
Facebook temporarily suspended his account before fixing the bug.
The hack made international headlines with Shreateh splashed across news programs including Al Jazeera and CNN.
Facebook stood firm in its refusal to pay him under its bug bounty reward scheme because he did not conform to its requirements that researchers disclose specific details of vulnerabilities without exploiting users.
In response, BeyondTrust chief technology officer Marc Maiffret posted an online fundraiser which has now surpassed its goal to raise $US10,000 to help Shreateh with his "future security research".
Dozens of comments under the fundraiser page praised Shreateh who in turn said he was shocked and grateful for the money.
He also warned that fraudsters had opened fake accounts to solicit funds under his name and posted a link to his legitimate Facebook page.
Facebook did not immediately respond to requests by SC for comment yesterday, but in a blog post overnight chief security officer Joe Sullivan said he understood Shreateh's frustration adding the company "failed" in its communication.
"He tried to report the bug responsibly, and we failed in our communication with him," Sullivan said
"We get hundreds of submissions a day, and only a tiny percent of those turn out to be legitimate bugs. As a result we were too hasty and dismissive in this case.
"We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem. The breakdown here was not about a language barrier or a lack of interest — it was purely because the absence of detail made it look like yet another misrouted user report."
Facebook would update its normally lauded bug bounty program to make the requirements of vulnerability reports clearer within email correspondence, and would update the bug bounty page with more information on ways to submit a bug report.
But it would not change its requirement that researchers would be exempt from payment if they exploited users.
"It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report, and he could have used one of our test accounts to confirm the bug," Sullivan said.
"We hope this case does not discourage this researcher or any other researcher from submitting future reports to us."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
