Remember earlier in the week when a researcher posted on Mark Zuckerberg’s Facebook wall in order to prove a privacy flaw in his own behemoth social network? The flaw was denied by Facebook’s security team and likewise was the bounty money to the Palestinian researcher Khalil, as part of the company’s Bug Bounty program.
Despite Khalil and Facebook being at odds, it appears that there are people out there who appreciate the breach of security.
Marc Maiffret, CTO of BeyondTrust, decided that Khalil should be compensated for his service and created a crowd-sourced fund for the researcher, with a goal of reaching $10,000 after which the amount will be deposited in Khalil’s account. In addition to that, Maiffret deposited $3,000 from his own pocket to the fund. In less than 24 hours, 79 people contributed nearly $9,000 into the fund.
Maiffret insisted that this was a serious privacy flaw and could have been used by any criminal to exploit the privacy of any company’s page by posting dangerous links or anything for that matter. “It would have been something that was very useful to folks in the underground to be able to post different content on celebrity sites or whatever it might have been, to be able to lure people to websites that would then attack them,” he said. “With the nature of the severity, it would be good for Facebook to pay the guy.”
Facebook Security Team researcher, Matt Jones, popped into the whole issue and defended his company’s decision not to pay Khalil the bounty money due to his actions. Jones said that the Palestinian used the wrong means of delivering his message and he could have demonstrated the issue using a test account rather than the account on none other than, Facebook CEO Mark Zuckerberg. According to the Facebook team, they receive hundreds of submissions everyday and most of them are not legit. Therefore, they try to be as fast as possible and with the details provided by Khalil, there was definitely a communication error.
“Exploiting bugs to impact real users is not acceptable behavior for a white hat,” says Jones.
In his defense, Khalil mentioned on his blog that Facebook did not respond to multiple emails he sent to the security team. On the other hand, the security team also acknowledges the fact that they should have dug a little deeper and responded Khalil’s flaw report sooner.
Khalil appreciated what BeyondTrust CTO did for him. He also received a number job offers in the security business, but has not yet accepted any one of them.