In the eye of a storm for not providing a Palestinian white-hat for exposing a vulnerability bug on Mark Zuckerberg’s profile, Facebook has aimed to clear the air over how the process works.
In a post on the Facebook Security blog, Chief Security Officer Joe Sullivan wrote that the team will be making two main changes as an outcome of the Zuckerberg wall-hack misadventure. Firstly, the company will be improving its email messaging to make sure what they need in order to validate a bug. Facebook will also be updating its White Hat page to fill in more information about the best ways to submit a bug report.
Sullivan admitted that there had been a lapse on part of Facebook’s security team while addressing the issue reported by Khalil, a Security Researcher from Palestine. Sullivan wrote that the team could have better informed Khalil that there were details missing from his initial message the team needed in order to replicate the bug. “The breakdown here was not about a language barrier or a lack of interest — it was purely because the absence of detail made it look like yet another misrouted user report,” he clarified.
Rules are rules
Khalil, agitated that Facebook’s security team was not paying heed to his reports, broke into Zuckerberg’s wall to post details about the bug and note the team’s laxity. Within minutes, he was contacted for details of the bug and his account was frozen.
People online are angry about the fact that Facebook refused to pay Khalil a reward for his bug and act of daredevilry, but Facebook has stood its ground. Sullivan wrote, “We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users. It is never acceptable to compromise the security or privacy of other people.” He elaborated that a much more detailed report could have been sent across by Khalil instead or he could have used one of the social network’s own test account to confirm the bug.
That may not be enough to satiate users who believe it was due to Facebook Seucrity's lapse that Khalil was pushed to do something this drastic, but Facebook believes rules are rules.