The hacker who uncovered a bug on Facebook earlier this week may indeed get a reward for his efforts, but not from the social network itself.
After it became clear that Facebook would not pay Khalil Shreateh a bug bounty for his discovery, arguing that he had violated the site’s Terms of Service, a crowdfunding effort launched on GoFundMe to raise funds for Shreateh — an unemployed Palestinian programmer — independently.
Within three days more than 250 people contributed more than US$12,000 toward the fund. Facebook typically offers rewards beginning at $500 for those who find such bugs; the largest single reward it has paid was reportedly $20,000, but Facebook actually places no limits on the size of its bounties.
“We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users,” said Joe Sullivan, chief security officer at Facebook. “It is never acceptable to compromise the security or privacy of other people. In this case, the researcher could have sent a more detailed report (like the video he later published), and he could have used one of our test accounts to confirm the bug.”
Facebook declined to provide further details.
‘The Good Fight’
The turn of events came about for Shreateh when BeyondTrustCTO Marc Maiffret launched the GoFundMe campaign with a goal of $10,000. In about a day, some $11,245 were raised.
“I launched the Facebook bounty on a bit of a whim during a CNN interview in which I said if Zuckerberg did not have the couple thousand dollars to help this guy out then I would be happy to,” Maiffret told TechNewsWorld. “After the interview, in talking with some of my researchers at BeyondTrust, we decided setting up a fund would make an even bigger impact.
“My goal was simply to do what I thought was right for Khalil and also to hopefully inspire other researchers to continue the good fight of finding security issues and working to get them fixed for the entire Internet community at large,” Maiffret added.
‘It Would Be Chaos’
Facebook surely has more than a few critics of its handling of this issue.
“It’s another eye-opening moment to see how people are responding to Facebook’s latest privacy gaffe,” Josh Crandall, principal analyst at Netpop Research, told TechNewsWorld. “If Facebook isn’t going to pay out a bounty program, why do they have one set up in the first place?”
Not everyone thinks Facebook was wrong, however.
“Facebook was right to not pay,” Chris Wysopal, CTO and cofounder of Veracode, told TechNewsWorld. “Remember, the vast majority of software companies do not pay bounties.
“The 10 or so that do all have rules you follow to get paid,” Wysopal added. “If they didn’t enforce the rules it would be chaos. Can you imagine everyone hacking the pages of Facebook employees, going public with their findings and expecting to be paid?”
There were communication failures on both sides, he concluded, “but the remedy is not to do whatever you want and expect to get paid.”
Weighing the Risks
Of course, there could be risks associated with not paying hackers.
“Paying hackers is better than having them take an adversarial role,” independent social media analyst Billy Pidgeon told TechNewsWorld. “It is best not to make the hacker community angry.”
In this case, the community’s quick and vigorous response made it clear whose side many were on.
“Clearly the community sent a loud and clear message that they appreciate security researchers doing the right thing and fixing bugs,” said Maiffret. “It is easy to see that more than just the security community pitched in here — many everyday, average computer users helped contribute a great amount.”
Indeed, “it’s good that the community is supporting this, and the public at large,” Casey Ellis, CEO of Bugcrowd, told TechNewsWorld. “Independent researchers are critical to Internet security, and more so going forward.”
This should also send a message to Facebook that they need to step up to the plate and follow through with their promises, and just pay him. Not come up with excuses not to. Facebook ignored him at first when he tried to explain the security hole, then they refused to pay him after he did the only thing he could which was to demonstrate the security hole, he did them a favor. Facebook stinks.