Security expert kick-starts fund to pay Facebook bug finder a $10K bounty
Khalil Shreateh, who was rebuffed by Facebook, says, 'Thank you so much'
Computerworld - After a Palestinian researcher was denied a bug bounty by Facebook, Marc Maiffret, CTO of BeyondTrust, kicked off a crowd-sourced fund yesterday to come up with a reward.
The researcher, Khalil Shreateh, expressed his gratitude today to Maiffret and others who have contributed to the fund. "Thank you so much. I never imagined what they will do for me," Shreateh said in a telephone interview.
Seventy-nine people have contributed nearly $9,000 in the last 24 hours to an account that will be handed over to Shreateh once it reaches the goal of $10,000.
Maiffret seeded the fund with $3,000 of his own money after appearing on CNN to talk about the Facebook vulnerability that Shreateh found.
Earlier this month Shreateh reported a vulnerability to Facebook's bug bounty program, saying that he had found a way to post content to any user's timeline, even when not on a victim's friends list. Facebook rebuffed him in return emails and ultimately claimed his discovery wasn't a bug.
Frustrated, Shreateh took matters into his own hands and planted a message on CEO Mark Zuckerberg's Facebook timeline.
That got the attention of Facebook's security engineers, who quickly locked Shreateh out of his account. After restoring his access, Facebook said it would not pay him a bounty.
"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission," said Facebook software engineer Matt Jones in a Sunday entry on Hacker News. "Exploiting bugs to impact real users is not acceptable behavior for a white hat."
Jones did acknowledge that Facebook should have asked Shreateh for more information before dismissing his report, but he also ticked off a list of reasons, including the fact that Facebook receives "hundreds of reports each day" and the lack of detailed proof in Shreateh's original report. He also intimated that Shreateh's poor English skills had been a problem.
In an interview on CNN Monday, Maiffret took exception to Facebook's decision not to reward Shreateh.
"Ultimately, he helped kill a bug that could have been used by pretty bad guys out there to do things against Facebook users," said Maiffret. "Ultimately, he did a great thing and I don't think that should be lost in all this."
The vulnerability was certainly worth money to criminals, Maiffret asserted. "It would have been something that was very useful to folks in the underground to be able to post different content on celebrity sites or whatever it might have been, to be able to lure people to websites that would then attack them," he said. "With the nature of the severity, it would be good for Facebook to pay the guy."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts