Facebook Chief Security Officer Joe Sullivan said in a note on the Facebook Security page that he understood the frustration expressed by Khalil Shreateh, who used a bug he reported to the social network to post directly to the Timeline of Facebook Co-Founder and CEO Mark Zuckerberg, but he defended the company’s decision to not offer a reward to Shreateh because he involved an actual user (not to mention the head of the company) and did not use a test account.
Recently, a researcher tried to tell us about a bug that would allow users to post on the Timeline of another user who was not their friend. He made headlines when he got frustrated with us and used that vulnerability to post on the wall of a real user.
I’ve reviewed our communication with this researcher, and I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him. We get hundreds of submissions per day, and only a tiny percent of those turn out to be legitimate bugs. As a result, we were too hasty and dismissive in this case. We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem. The breakdown here was not about a language barrier or a lack of interest — it was purely because the absence of detail made it look like yet another misrouted user report. An example of the type of detailed report we encourage is the video this researcher released after the fact. Most researchers will provide that level of detail in their reports to us, and this is the type of granularity we need to investigate reports and, if they’re legitimate, reward the people who submitted them.
We will make two changes as a result of this case: We will improve our email messaging to make sure we clearly articulate what we need to validate a bug; and we will update our white hat page with more information on the best ways to submit a bug report.
We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users. It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report (like the video he later published), and he could have used one of our test accounts to confirm the bug.
We hope this case does not discourage this researcher or any other researcher from submitting future reports to us. We’re passionate about improving Facebook’s security, and we want to continue to build strong relationships with security researchers all over the globe.
Readers: What did you think of Sullivan’s response?
Image courtesy of Shutterstock.