14 DAY TRIAL // Facebook's Chief Security Officer (CSO), Alex Stamos, has responded to accusations of "playing dirty" and trying to intimidate a security researcher during a recent bug disclosure scandal that surrounded an Instagram security issue.
Two days ago, Wesley Wineberg published his ordeal surrounding the events of him reporting a serious bug in Instagram's architecture to Facebook.
Mr. Wineberg says that he found a chain of vulnerabilities that allowed him complete access to Instagram's backend, but instead of being paid a reward in Facebook's bug bounty program, he was treated with mistrust, and later ignored.
During the incident, Mr. Wineberg said that Mr. Stamos even went as far as calling his employer, and trying to intimidate both the company and researcher into not disclosing the bug. As you can imagine, the security research community reacted with vile against Facebook, and its CSO published a statement yesterday to clear the air around the issue.
Facebook's staff panicked after Wineberg downloaded private Instagram data
According to Mr. Stamos, Facebook said that the whole story revolves around the fact that Mr. Stamos did not like the sum Facebook was willing to pay, which was $2,500 / €2,300. This was also in due part to the fact that the initial bug he discovered was also a duplicate, having been already reported by another researcher.
Additionally, communication between the two sides also seems to have taken a turn for the worst after Mr. Wineberg, trying to prove the wide-reaching capabilities of the bug, went as far as downloading data from Instagram's servers. This sent the Facebook security team into a "code red" status, thinking the researcher might sell the data on the black market.
As Mr. Stamos points out, he called Mr. Wineberg's employer, searching for an arbitrary party, before events could spiral out of control, with many wide-reaching implications, like Mr. Wineberg using the downloaded data in the wrong way, or Facebook's legal department being involved.
As most scandals surrounding bug disclosures, it all comes down to not having an independent party decide the reward sum for security research, and leaving it to the affected company alone.