So the security person who said "This is not a bug," - what's happening there? If they had guided the guy reporting the bug, asked for more information or directed him to the expected methods for reporting, then this would have likely gone completely differently, right?
By the time he'd reported it, he had already used the exploit to post on a live, non-friend, account. As far as I understand , that's already a violation of the TOS.
It's fairly obvious he didn't understand the whole whitehat accounts he should have been using. English isn't his first language, so should we fault the guy for that - or Facebook who's an international company - with 1+ billion users? Or should Facebook own up to that they should probably update their documents - or give the guy a fucking break because they haven't done that? This is where you need REASON to react REASONABLY, and not just use a blanket statement to "make their life easy" in decisions like this. That's lazy and inhumane.
