Bug bounties are a fairly new phenomenon that have really captured the interest of the security community. The opportunity to find and disclose vulnerabilities appeals to many and for a variety of reasons from making cold hard cash through feeling a personal sense of achievement and to making a name for onself.
Whilst the likes of Secunia have recently ended their reward program, many other businesses still offer cash and recognition in return for responsible disclosure of security issues. One such organisation is Facebook who offer a minimum of $500 via their white hat program.
Palestinian IT graduate Khalil Shreateh recently attempted to claim such a bug bounty after showing how he could post on someone’s timeline even if he was not their ‘friend’ (I previously wrote about that here). The problem with his approach, however, was that he went about it in entirely the wrong way.
After trying to contact Facebook via email and not getting any joy, due to a language barrier it seems, he then took matters into his own hands and, ultimately, ended up posting on Mark Zuckerberg’s own timeline.
This approach led to Shreateh losing his Facebook account for a time and he was barred from receiving a bug bounty as he had not disclosed the vulnerability in accordance with Facebook’s terms and conditions.
This led Marc Maiffret, the CTO at BeyondTrust, to instigate an online appeal to compensate Khalil for his efforts. The target for donations was not, however, set at the $500 that may have been earned through following Facebook’s guidelines on disclosure. Instead, $10,000 was sought. As you can see from the image above the level of donations has already surpassed that figure and reached close to $11,000 at the time of writing.
Now I don’t doubt that Shreateh had good intentions when he hacked Zuckerberg’s timeline but is it right that someone who failed to adhere to the rules should profit so well from his actions? What message does this send to others in the sphere who become frustrated when they don’t get the response they require from a company offering financial rewards for their efforts? And does it encourage researchers to demonstrate vulnerabilities prior to disclosure?
I think this call for donations is misguided at best. I wish Shreateh every success in the future of course, subject to following disclosure guidelines, but do not think someone who screwed up should be rewarded for their failure. What are your thoughts on this?