Facebook is in a bit of hot water at the moment since it publicly denied bounty to an outside researcher for discovering and reporting a bug on the company’s social networking platform.  In doing so, however, Facebook may have done the Palestinian researcher, Khalil Shreateh a favor.

large_Facebook

Marc Maiffret, CTO of BeyondTrust, decided that Shreateh’s effort should not go unnoticed and that he should be compensated accordingly.  In addition to creating a crowdfunded ‘appreciation’ account for Shreateh, Maiffret also deposited $3,000 out of his own pocket to show his support.  In total, Maiffret hopes to raise $10,000 to not only compensate Shreateh, but also to send a clear message to companies like Facebook that security researchers like Shreateh shouldn’t be taken for granted.

“Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone,” Maiffret posted on gofundme.com.

Facebook’s software engineer, Matt Jones, defended his company’s decision to not reward Shreateh for his discovery citing the researcher’s lack of communication abilities, and that several real Facebook users’ privacies were violated, which included the company’s own CEO Mark Zuckerberg.  According to Jones, “white hat” security researchers cannot violate the privacy of real people, and whatever tests conducted to prove the existence of a bug must be done on fake accounts.

“Exploiting bugs to impact real users is not acceptable behavior for a white hat,” Jones said dismissively of Shreateh’s method for reporting the bug.

In Shreateh’s defense, he blogged that Facebook did not respond to his various attempts at presenting the bug report.  Facebook’s security team, too, admitted that they should have responded accordingly and dug a little deeper so that the two parties can be the same page.

Regardless of the outcome, it seems like both Facebook and Shreateh are walking away with something.  Facebook now has one less bug to deal with, and Shreateh will pocket somewhere around $10,000 and possibly a job offer in a security research firm.

“I appreciate it, and my best wishes to everyone out there,” Shreateh said after receiving such overwhelming support from the online community.

Source: computerworld