A campaign to recompense Khalil Shreateh, the security researcher who posted a message on Mark Zuckerberg's personal Facebook page in order to prove the existence of a serious security flaw, exceeded its target of $10,000 within a day. What does this tell us about the bounty system?
Facebook has had a Bug Bounty program for the past two years and the latest update about it reports having paid out more than $1 million dollars to 329 people, some professional researchers; others are students or part-timers, distributed across 51 countries. The minimum reward is $500 and there is no upper limit - the largest single bounty so far has been $20,000
So what went wrong in this instance?
Why did Facebook refuse to pay up despite the fact that the bug - one that allowed Facebook users to post on the Timelines (walls) of other Facebook users, even when they were not connected as friends - was real and Khalil Shreateh had originally submitted it via Facebook's Whitehat program in the prescribed manner?
Shreateh, who has a B.A. degree in information systems, is based in Palestine and describes himself as an "unemployee" has outlined what happened in his blog and also in this video:
In response to his first email reporting the bug, which including the link he had posted on the Facebook wall of Sarah Godin, a target chosen as she went to the same collage as Facebook CEO, Mark Zuckerberg, he received a reply from the Facebook security team saying:
"I don’t see anything when I click link except an error."
So Shreateh tried a second time, explaining why the link produced an error and got the response:
I am sorry this is not a bug.
Streateh then responded saying that he had no choice than to post to Mark Zuckerberg's timeline and carried out his threat, posting an apologetic message:
"First, sorry for breaking your privacy and post(ing) to your wall, I (have) no other choice to make after all the reports I sent to (the) Facebook team."
This action was indeed effective and led not only to the flaw being fixed but also to his Facebook account being disabled and, once the account was restored, the message:
We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
Hardly an appropriate response but one that Facebook is sticking with. In a post on the Facebook Security page, Jo Sullivan Chief Security Office stated:
We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users. It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report (like the video he later published), and he could have used one of our test accounts to confirm the bug.
Sullivan did concede that there was fault on both sides:
He tried to report the bug responsibly, and we failed in our communication with him. We get hundreds of submissions per day, and only a tiny percent of those turn out to be legitimate bugs. As a result, we were too hasty and dismissive in this case. We should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem. The breakdown here was not about a language barrier or a lack of interest — it was purely because the absence of detail made it look like yet another misrouted user report.
Moreover, as a result of the experience Facebook is making changes to try to "clearly articulate what we need to validate a bug."
The security researcher community obviously feels that Facebook's behavior in is shabby. In an interview with CNN , Marc Maiffret, CTO for security firm Beyond Trust gave his opinion that Shreateh should be rewarded saying:
“He found a great vulnerability in Facebook, he tried to report it responsibly in his own way, and I think it would be the right thing to support him and send a good message. So that folks like him who continue to report it to the Facebooks of the world versus selling it for a lot more money in the underground."
It was Maiffret who launched the fund-raising campaign on GoFundMe, with an initial donation of $2,000, with the idea:
Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone.
Donations are still being accepted and the fund has now rolled over $11,000, which will perhaps send a message to Facebook as well.