Here’s a fun story. Facebook has a “white hat hacker” program where they give money to hackers who report security problems. Well, a guy named Khalil Shreateh found such a bug. But despite repeated attempts to get through to Facebook reps, he was unsuccessful. In fact, a rep told him, “I am sorry this is not a bug.” So Shreateh just used the bug to post his finding to Mark Zuckerberg’s private timeline. That got a Facebook engineer’s attention—within minutes! Facebook confirmed that he had indeed found a bug. And soon the company rewarded Shreateh by shutting down his account.
After some screaming and begging, Shreateh got Facebook to reinstate his account. But the company claims that they can’t pay him for the bug they admit he found because (1) he didn’t provide them with enough information and (2) he violated Facebook terms of service by using the bug. But they said, “We do hope, however, that you continue to work with us to find vulnerabilities in the site.” According to The Daily Dot, what this shows is, “It pays to fully document a vulnerability before you send in your report. It doesn’t pay to mess with Mark Zuckerberg’s privacy.” That strikes me as awfully cavalier.
A much better response comes from Samuel Knight who has been manning the Political Animal blog this weekend. He wrote, “Typical Silicon Valley libertarianism—cheating Shreateh out of money, while inviting him to continue to do work on the company’s behalf.” Indeed! It goes a lot further than that. I’m sure all the top people at Facebook see themselves as the very model of the libertarian ideal—meritocracy at work! But they’ll use any opportunity to screw over the non-billionaires. And what does this story really say other than, “Facebook doesn’t care about results; we have rules, damn it!”
I’m very concerned about the attitude of the article in The Daily Dot. I would think any normal high tech person would be outraged at this. And it’s pretty stupid for Facebook too. If you want to turn a White Hat into a Black Hat, this is the way to do it! My only hope is that if Shreateh does move over to the dark side that he finds something to destroy Facebook. Then maybe people will stop bugging me to join that evil enterprise.
By the way: the total amount of money Facebook is withholding is—Wait for it!—$500. What a totally fucked up company!