Khalil Shreateh, a security researcher and IT expert, had identified a security bug on Facebook earlier last week. The bug allowed a hacker to post on anyone’s wall even if they aren’t friends with that person.
Khalil initially reported the bug to Facebook by posting a link to Sarah Goodin, a college of friend of Zuckerberg. He attempted to demonstrate that the bug would allow him to post on anyone’s wall (in this case Goodin’s) even though he wasn’t friends with her. However, when the Facebook Security team attempted to open the link they received an error message since they weren’t friends with Goodin. Although Khalil went on to explain that only friends of Goodin and those who can override privacy settings would be able to see the link, the Facebook team concluded that it was not a bug.
After being denied, Khalil decided to step things up a notch and chose to post his link on Mark Zuckerberg’s wall. This tactic of course worked, as Facebook’s Security team reached out to Khalil and asked for more information on the bug. Facebook has a whitehat exploit disclosure program where security researchers are paid at least $500 for each critical bug reported. However, since Khalil violated Facebook’s terms of service by posting directly on Goodin and Zuckerberg’s wall, instead of creating test accounts, he would not receive any money.
The bug has since been resolved, but there is still a debate on whether or not Khalil should receive a bounty for his work.
What do you think? Should Khalil be paid for his services? Or did his method of disclosing the bug justify not rewarding him? Please share in the comments below.
More Tech articles from Business 2 Community: