Facebook Wrong in Refusing to Pay Helpful Hacker
Hey, Facebook: Pay the man.
A hacker found a flaw in Facebook, reported it, eventually (and that's the sticky part) got results and then went for the $500 he was owed as part of Facebook's own bug-bounty program.
Facebook has declined. Why? Because the hacker didn't follow the company's rules.
The story is simple, and without dispute. A person identifying himself as a Palestinian named Khalil found that he could actually post information on other people's Walls, even if they weren't friends. So he put a message on the wall of Sarah Goodin, who is a college friend of Facebook founder Mark Zuckerberg. He then alerted Facebook.
Facebook's response? It's not really a bug.
Knowing that he was right, Khalil escalated the issue in an innovative way: He posted a message on Zuckerberg's own Wall, with an apology (and less-than-Oxford grammar).
“Dear Mark Zuckerberg,” his post read. “First sorry for breaking your privacy and post to your wall , I has no other choice to make after all the reports I sent to Facebook team.”
That certainly got Facebook's attention. It fixed the bug, and then decided to shoot the messenger.
First, Facebook suspended Khalil's account “as a precaution," as if Khalil might do the unthinkable and point out another flaw.
Then, it blamed him for not explaining himself correctly. "Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it," a company engineer wrote to him. "We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue."
Then, to make it clear that this whole, unfortunate incident was Khalil's fault, the company told him he can't get the $500 bounty “because your actions violated our Terms of Service." You see, Khalil did a very naughty thing by discovering this bug and exploiting it, Facebook reminded him, when he should have alerted the company to the problem and let the very helpful and responsive Facebook staff fix it. Oh wait...see above.
Facebook could be making lemonade out of this lemon, but it instead has made lighter fluid. The money is small, as the company has paid out about $1 million in bounties over the past two years. It is a small price to pay for making this issue disappear.
Plus it is the right thing to do. Facebook set up the bounty system to reward people for pointing out its flaws. It is a cheap, easy way to ensure quality. Khalil helped Facebook. He didn't harm the company in any way. Maybe Zuckerberg didn't like someone hacking his page, but it didn't have to come to that.
But what about the principle involved? Didn't Khalil exploit the flaw? Yes, but only because Facebook refused to see it had a problem. It argued with him. Worse, it blamed him. Rather than citing a technicality, it should be more introspective about its own handling of the situation. If the company doesn't want to compensate Khalil, is it equally looking into the compensation of all the Facebook employees who touched this issue and did nothing?
Pay the man. Facebook has benefited greatly from the incident. Why should Khalil have to pay for that?
Tell us what you think. Did Facebook mistreat Khalil?