The security researcher tried to submit a vulnerability via the proper channels

Aug 20, 2013 07:23 GMT  ·  By

Facebook is providing an official response to the discussion concerning a recent vulnerability report. One researcher failed to grab the attention of the company's security engineers via the established channels, so he hacked CEO Mark Zuckerberg's wall using the very bug he was trying to report.

It worked, since Facebook certainly noticed. The researcher, Khalil Shreateh, still won't be getting any money, the bug would have warranted a $500 (€375) reward if filed properly. But Facebook insists that using vulnerabilities to hack into active user's profiles is never a good idea and will never be rewarded.

"We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users. It is never acceptable to compromise the security or privacy of other people," Facebook explained.

Don't worry too much about Shreateh though, other security researchers have banded together and are raising some $10,000 (€7,500) to reward him for his work, even if Facebook won't.

The company did admit though that it handled the case poorly. The researcher had sent two reports via the official whitehat program, only for them to be dismissed.

The reports were lacking in detail and the Facebook engineers that review them, who are used to seeing many erroneous or misguided reports every day, didn't pay too much attention beyond a couple of checks that failed to reveal the bug.

Facebook explains that it plans to improve communication with researchers and will ask for more details when those details are lacking.

It also plans to provide more info to researchers on how to properly inform them of a bug, both via email communication and the whitehat page itself.

"I've reviewed our communication with this researcher, and I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him. We get hundreds of submissions a day, and only a tiny percent of those turn out to be legitimate bugs," Joe Sullivan, Facebook's chief security officer, explained.

"As a result we were too hasty and dismissive in this case. We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem," he added.