Let's say you're a fledgling security researcher and you've found a significant hole in Facebook -- one that allows any Facebook member to post anything they feel like to anyone else's wall, regardless of friendship status. You dutifully report the hole to the Facebook's Whitehat security team and wait for the company to cut you a $500+ check, the standard bounty for bug hunters.
Instead you receive a terse reply, stating simply, "I'm sorry, this is not a bug."
[ For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter and follow Cringely on Twitter. | For a quick, smart take on the news you'll be talking about, check out InfoWorld Tech Brief -- subscribe today. ]
Nothing else happens. Your report continues to go unacknowledged, the bug remains. You get impatient and decide to do something to get Facebook's attention. What would you do?
If you're Khalil Shreateh, a systems information expert from Palestine, you do it by hacking Mark Zuckerberg's account and posting a message to his wall.
That, finally, worked. Within moments, Khalil's Facebook account was suspended and Facebook security engineers were in touch with him, anxious to learn the details of the exploit.
There's just one problem: Facebook isn't willing to pay Shreateh a dime for the report.
Swallow the money
Shreateh originally demonstrated that his hack worked by posting a video of Enrique Iglesias to the wall of one of Zuckerberg's oldest friends. When that was ignored he went for Z's wall itself. But both that and the post to Zucky's wall violate Facebook's terms and conditions for bug reporting, notes Facebook security engineer MK Jones in a post to Hacker News:
...the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts ...to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
Facebook allows researchers to use real accounts when they can't reproduce the vulnerability using the test accounts. It's not clear if this was the case here. Shreateh wrote a blog post detailing the efforts he made to alert Facebook to the vulnerability, along with a video, but his English is fractured and hard to follow.