Facebook Does Not Reward Hacker So Crowdfunding Website Does

Posted Aug 20, 2013

A Palestinian hacker named Khalil Shreateh tried to report a bug to Facebook’s security team, but he did not get any sort of response.  Out of frustration, he decided to show Facebook CEO Mark Zuckerberg that the Facebook Wall system had a flaw.  He was able to write on Zuckerberg’s Facebook Wall without actually being his Facebook friend.

Khalil Shreateh reported the bug through Facebook’s white-hat bug reporting system, which promises that bug hunters get awarded.  The report was ignored multiple times so this is when he decided to write on Mark Zuckerberg’s wall to prove that he found a way to write on someone’s wall without being their Facebook friend.

“I’ve reviewed our communication with this researcher, and I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him. We get hundreds of submissions a day, and only a tiny percent of those turn out to be legitimate bugs,” stated Facebook chief security officer Joe Sullivan.  “As a result we were too hasty and dismissive in this case. We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem. The breakdown here was not about a language barrier or a lack of interest ? it was purely because the absence of detail made it look like yet another misrouted user report. An example of the type of detailed report we encourage is the video this researcher released after the fact. Most researchers will provide that level of detail in their reports to us, and this is the type of granularity we need to investigate reports and, if they’re legitimate, reward the people who submitted them.”

Apparently Khalil violated Facebook’s bug bounty rules, which is why the social network company decided not to reward him.  Facebook’s move is controversial because Khalil attempted to report the bug.

“We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users. It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report (like the video he later published), and he could have used one of our test accounts to confirm the bug,” added Sullivan in the blog post.

Since Facebook decided not to reward Khalil, the hacker community rallied to crowd-fund an award for him through the website GoFundMe.  The campaign was started by Marc Maiffret and it has surpassed $10,000 already.

“Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone,” stated Beyond Trust chief technology officer Maiffret.