After a frustrated researcher posted details about a vulnerable activity on CEO Mark Zuckerberg’s profile page; Facebook promises to rectify the processes behind its Whitehat program for reporting bugs. Chief Security Officer Joe Sullivan claims that the company aims to improvise its email messaging to make clear, the required validity for a bug, and also update its whitehat program pages explain how bugs should be reported in a better way; as per the reports on the Facebook Security blog.
The researcher, known as ‘Khalil,’ lost his temper, after failing to convince Facebook that he spotted a bug, in spite of emailing 3 times, nobody from its whitehat program contacts responded. Although, once he was told that, the issue reported by him was ‘Not a Bug’. As a result of this, Khalil decided to make his efforts public and posted details to Zuckerberg’s wall, and soon after that, Facebook decided to deal with the bug.
As it was “too hasty and dismissive” about his case, Facebook failed in their conversation admits Sullivan. He further added that, they should have explained this to the researcher that his initial messages did not give them enough detail that would have allowed them to reciprocate to the problem.
Sullivan explained that researchers typically provide more detail than Khalil did and although, the scenario here was neither about a language barrier nor about their lack of interest, but it was just because of the absence of detail that made it look like yet another misrouted user report.
Facebook is not going to change its policy on exclusion of payouts to all those who test vulnerabilities on users, despite of the admissions received. Sullivan reports that, It is never acceptable for the firm to compromise the security or privacy of other people. With respect to this case, the researcher could have sent a more detailed report and made use of our test accounts to confirm the bug.
Although his example has at least prompted Facebook to clarify its processes for the future, Khalil will receive no money, since Zuckerberg is a CEO, User and founder.
Facebook promises to see if, the improved communication prevents other researchers from being strained into more visible actions to demonstrate issues. However, this incident seems to be embarrassing for Facebook’s security staff, who will never wish to repeat such a performance.