We all know this person had good intentions. But good intentions aren't always enough. Facebook doesn't appear to be freaking out at him. They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
This is like... the textbook definition of a hack.
> however if you have a human making decisions, and not just a drone following written orders, then the ability to make compromises exist. Just no one at Facebook wants to engage and be human it seems.
I love that this statement is downthread of a Facebook engineer's comment that states he considers the guidelines reasonable. It's as if you're just a drone following written orders without the ability to make compromises.
>This is like... the textbook definition of a hack.
Perhaps of "hacking FB", but he didn't "hack an account".
I don't see what the problems are for FB here. They have a moral obligation to reward him for reporting this bug, especially since their ToS are apparently not available in Arabic. Claiming that he showed any sort of malicious/inappropriate behavior is a really bad tactic to save some money when they clearly handled this very badly from the start, while his intentions were obviously good.
All they are achieving by reacting this way (including the apologets) is that next time, such people will just sell their exploits on the blackhat market.
re: reason; where does his reason come into play? It does not seem reasonable to post to M.Z.'s timeline, I'd guess he did that because he was P.O.ed at being dis'ed by the support people.
In the bureaucratic theory I am aware, if you have rules (policies, proceudres, standards etc.) you need to apply them consistently. Sometimes the rule will allow for discretion, sometimes not. I don't see room for discretion here.
Yeah, rules that don't take into account reason are inhumane. Similarly why we don't just give everyone 10 years in prison because they committed a crime - you take into account all aspects - and not just apply "oh but he committed a crime, so this is the result."
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
I don't see why that is. They already provide the following caveat:
> When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.[1]
So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either).
I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right?
However, it also sounds to me like an opportunity for a bug / exploit reporting proxy business that validates, reproduces, and polishes reports in bulk. You most certainly could extract a much higher bounty per report.
In the appropriate language: https://news.ycombinator.com/item?id=6231153
Otherwise, you should make some good faith effort to not assume devious intentions on someone making a good faith effort to report problems.
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
Technically, according to the security person at Facebook, it wasn't a bug. When he did the same thing again on Mark Z's account, it suddenly became hacking. Yeah, he didn't follow a procedure that wasn't available to him in his native language, but he made a good faith attempt to report the bug, and did so several times.
> But good intentions aren't always enough.
Several attempts to contact them despite being told the actions he was taken was not a bug despite clearly explaining why it was?
