Hacker Posts About FB Flaw to Zuckerberg's Wall (gets way worse)

[Renegade]

This is funny!

http://rt.com/news/f...cker-zuckerberg-621/

A Palestinian information system expert says he was forced to post a bug report on Mark Zuckerberg’s Facebook page after the social network’s security team failed to recognize that a critical vulnerability he found allows anyone to post on someone's wall.

The vulnerability, which was reported by a man calling himself ‘Khalil,’ allows any Facebook user to post anything on the walls of other users - even when those users are not included in their list of friends. He reported the vulnerability through Facebook’s security feedback page, which offered a minimum reward of US$500 for each real security bug report.

...

After receiving the third bug report, a Facebook security engineer finally admitted the vulnerability but said that Khalil won’t be paid for reporting it because his actions violated the website’s security terms of service.

Summary:

• Buddy reports bug to security team
• Security team tells him to piss off
• Posts to Zuckerberg's wall
• Security team won't pay reward for bug that they refused to listen to

Just all around it's wonky. The part that I found the worst was the reward part. It's just really douchey.

This is exactly why security experts should instead of reporting bugs to companies, should just sell exploits to criminals. If companies won't act in good faith, why should any security experts?

[TaoPhoenix]

Does Zuckerberg Like this?

: )

[Renegade]

Does Zuckerberg Like this?

: )

-TaoPhoenix (August 18, 2013, 12:59 AM)

  Dunno, but I do!

[40hz]

From my experience, NIH is invariably the default reaction of most large organizations to outside input. Even if such input is well intentioned - and requested by the organization itself - the knee-jerk tendency to circle the wagons and stonewall is just too ingrained. Because you're far less likely to be punished for inaction than you are for doing something, refusal to take action is often the smarter strategy in a corporate setting. Dilbert referred to this behavior as "Learned Helplessness."

Bug identification is much like whistleblowing. The very businesses encouraging you to "participate" usually prefer that you don't.

In management circles, such behavior is generally seen as an early indication an organization has passed it's prime and started its decline.

[Stoic Joker]

This is exactly why security experts should instead of reporting bugs to companies, should just sell exploits to criminals. If companies won't act in good faith, why should any security experts?

-Renegade (August 17, 2013, 11:28 PM)

That's been tried already ... The NSA screwed them too.

[wraith808]

This is exactly why security experts should instead of reporting bugs to companies, should just sell exploits to criminals. If companies won't act in good faith, why should any security experts?

-Renegade (August 17, 2013, 11:28 PM)

That's been tried already ... The NSA screwed them too.

-Stoic Joker (August 18, 2013, 08:11 AM)

  oh no he didn't! 

[IainB]

40hz: ^^ wot you said. I suspect you have hit the nail on the head.