Facebook’s White Hat Program pays community members set amounts of cash for reporting security vulnerabilities. However, when Khalil Shreathe, a systems information expert from Palestine, reached out to the security team last Friday, he was brushed off.
Shreathe’s initial report described a bug that allows you to post on anybody’s wall, even if they are not your friend. To demonstrate, he posted a link on Sarah Goodin’s wall, a college friend of Mark Zuckerberg.
A member of the Facebook Security team clicked the link, received an error message, and told Khalil that what he had found was in fact not a bug at all. So Khalil took his efforts to the next level, politely posting his link on Zuckerberg’s own wall and exploiting the bug once more.
“Sorry for breaking your privacy to post to your wall,” says Shreathe in his post. “I had no other choice to make after all the reports I sent to Facebook team.”
This time, he got a heavy response from Facebook engineers. However, Facebook denied Khalil a reward for finding the bug. Typically, security researchers are paid upwards of $500 for responsibly filing critical bug reports.
“The bug was demonstrated using the accounts of real people without their permission,” says Facebook Security Engineer Matt Jones. “Exploiting bugs to impact real users is not acceptable behavior for a white hat.”
Khalil did, in fact, not follow Facebook’s disclosure rules, but he was courteous in his demeanor, responsible in his actions, and did not sell his bug to spam advertisers. Surely a company that pays out over $1 million to bug reporters annually can give Khalil a little something for his efforts.