You don't even have to tell anyone you did it if you are worried about "rewarding non-preferred behavior".
Mute the commercial and watch this video to meet this guy and realize he was trying to help and you were being idiots:
http://www.cnn.com/2013/08/19/tech/social-media/zuckerberg-f...
He hasn't worked in two years and his laptop is missing 5 keys.
Facebook's stance is akin to "we don't negotiate with terrorists". Although obviously this wasn't malicious (or "terrorism"); just a case of a foolish newbie who failed to follow the rules.
How was he foolish? Also the rules weren't written in his first language. Intent matters[1]. Facebook needs to be the first place people like him go, and be welcoming.
Facebook could do many things that don't involve paying a bounty directly. For example they could make a donation of the same amount to a suitable school or charity in his area.
[1] For example we do that when people are killed http://en.wikipedia.org/wiki/Murder_(United_States_law)#Degr...
Bounty programs are not there to create a more appealing market and out-bid the black hat hackers.
He did follow the rules. Just that he didn't know to express them. And what made you think he is foolish?
Now is the time for both sides to make their apologies and for Facebook to reward the hacker.
If people see that facebook back out of paying for legitimate, reported bugs, they'll seek other options to monetize them.
In his report he lacked the communication skills necessarily to make a useful bug report, which after my opinion caused the problem.
If anything, he had great communication skills. He overcame a non-native language barrier, while being conversationally blocked, and still made his point clearly.
Besides, are communication skills the important skill here? I would say, not.
Facebook do not pay white hat hackers at a level appropriate to their skill and work ($1m total? that's all?!) and now it's also clear they are looking for technicalities to avoid payment.
I've reviewed our communication with this researcher, and I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him.
Facebook says Facebook failed communication. "He tried, we failed," is pretty cut and dried.
If you are taking reports from users about security problems, treat every one as real until proven otherwise.
If you say you will pay 500Bucks per Bug reported, you will have a huge Fail rate, even if the Facebook Support is well Motivated after 3hours working, answering to 100Tickets you might not be able to understand something written in that way:
"Rhe vulnerability allow’s facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post … of course you may cant see the link because sarah’s timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority ."
Facebook gives 500$ per Bug reported, which ends up in a lot of Fail reports if somebody like this gets send:
"Rhe vulnerability allow’s facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post … of course you may cant see the link because sarah’s timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority ."
You might mistake it for.
"You can post something on a friends page and you can't see it if you aren't friend with that person"
If you could create your own "non-friend" user mock object and demonstrate the bug, no one has to parse your bad language. He proved the bug through a live test - doesn't it make sense to provide this kind of testing ground to whitehats?
I'm not a hacker, just a plain old developer. But in my world, when I want to explain something, I do it with test-case code and live examples, not through long-winded emails or bug reports.
That said, facebook will surely find some deal so they end up with positive PR.
