Let’s just face it, you cannot find any system or software that’s totally free of vulnerabilities. Regardless how good your security team is, there will always be some sort of flaw in your system that can compromise personal information of the system or its users.
For this purpose, the bigger companies have initiated ‘bug bounty’ programs that can help them discover exploits with the help of security experts in exchange of prizes.
Facebook is one such company who is also operating a WhiteHat program that pays bug bounties to researchers and users who find worthy exploits in the social network. The bug bounties start from $500 and the maximum paid recently has been $20,000.
Recently, a researcher who goes by the name of Khalil found an exploit inside Facebook’s system, which he reported twice to their security team. The bug allowed a user to post a message on the wall of any other person who is not in their Friends list. After the second report, he received a reply “I am sorry this is not a bug”. In response, he offered Facebook that he will demonstrate the vulnerability on a test account of a Facebook security expert.
Left with no choice, Khalil posted the same message on the wall of Mark Zuckerberg and explained the exploit as well as the response from the Facebook Security team. Within minutes of posting the message, Facebook security team contacted Khalil for details about the exploit and disabled his account while they work on patching this exploit.
Although the issue was fixed by Facebook engineers, they refused to pay Khalil the bug bounty saying that he violated their terms of service. Here is the message Khalil posted on Mark Zuckerberg’s wall.
Later, his account was re-enabled but the social network didn’t pay him any bounty for finding the bug. In order to be eligible for the bounty, the researchers must follow a set of rules. In case of Khalil, the social network didn’t mention the rules he had broken.