Khalil Shreateh, the white hat hacker who found a vulnerability in Facebook Inc (NASDAQL:FB) security will receive a $11,000 bounty, but the money will not come from the social network giant as it refused to reward him because his method of reporting was unethical.
Facebook rewarding those who report bugs
Facebook Inc (NASDAQ:FB) is known as a hacker-friendly company for giving approximately $1 million in rewards to those who reported bugs affecting its website. However, the social network giant did not approve the method used by Shreateh of reporting the vulnerability.
Shreateh hacked the Facebook account of the social network giant’s CEO, Mark Zuckerberg and posted the bug on his Timeline. Prior to hacking Zuckerberg’s accounts, Shreateh reported the bug via e-mail to Facebook Inc (NASDAQ:FB)’s white hat disclosure program. However, the security team ignored his report.
According to Facebook Inc (NASDAQ:FB)’s security team, the white hat hacker violated the company’s terms of service by compromising the privacy of its users. In Shreateh’s case, he violated the privacy of the company’s CEO.
Joe Sullivan on Facebook security
Joe Sullivan, chief security officer of Facebook Inc (NASDAQ:FB) wrote, “We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users. It is never acceptable to compromise the security or privacy of other people.”
On the other hand, Marc Maiffret, chief technology officer of BeyondTrust, a cybersecurity firm, created a donation campaign to reward Shreateh’s efforts in reporting Facebook’s security bug. His objective is to send a message to security researchers that their initiative in doing good for everyone is appreciated.
“Khalil Shreateh found a vulnerability in Facebook.com and, due to miscommunication, was not awarded a bounty for his work. Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone,” Maiffret said.
Khalil Shreateh failed to provide complete data
Facebook Inc (NASDAQ:FB) security members also explained that Shreateh failed to provide complete information regarding the security bug and he has limited English skills. The company’s response to the white hat hacker was also delayed because the security team receives hundreds of bug reports daily.
The campaign to reward Shreateh raised $11,360 from 204 supporters in one day.