Facebook Inc (NASDAQ:FB) Chief Security Officer Joe Sullivan admitted today that the company's systems failed in a recent hacking incident. Yesterday it came to light that a hacker posted a security bug on Mark Zuckerberg's Timeline because his attempts to report a security threat had been ignored by the company's security team.
Sullivan said today that the company had failed Palestinian hacker Khalil Shreateh. He empathized with Shreateh, writing, "I understand his frustration. He tried to report the bug responsibly, and we failed in our communication with him." The company has not changed its decision to refuse to reward the hacker, however, something that the company has been criticized for.
No change in Facebook policy
Facebook Inc (NASDAQ:FB) treats security threats seriously, and it rewards hackers who manage to uncover security problems in the company's infrastructure. The white hat disclosure program run by the company offers a minimum of $500 to those who uncover hacks and manipulations of the company's infrastructure. The firm has, however, decided not to pay Shreateh for his work.
The problem, according to Facebook Inc (NASDAQ:FB), is that Shreateh hacked a user's account in order to expose the exploitation. "We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users," wrote Sullivan in his post about the incident.
The post continued, "It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report (like the video he later published), and he could have used one of our test accounts to confirm the bug." The firm has no intention of paying the Palestinian because of his breach of those rules.
The future for Facebook hackers
Facebook Inc (NASDAQ:FB) is hoping that the case does not discourage other researchers from exposing bugs in its software. The company does offer real rewards to those who go about proving bugs with the dummy accounts designated for that purpose. Posting on Mark Zuckerberg's Timeline is not, apparently, an acceptable way to prove a flaw in the system.
Shreateh may not get a reward from the official program, but there is a Kickstarter style campaign underway that seeks to reward him. Marc Maiffret, the Chief Technology Officer of security firm BeyondTrust launched a campaign on crowdfunder gofundme to raise $10,000 as a reward. Right now the campaign is just shy of $9000.