Facebook offers a pretty attractive bug bounty program that rewards white hatters for identifying and reporting vulnerabilities in their service. In search of a $500+ reward, Palestine’s Khalil Shreateh discovered a method to circumvent the website’s privacy settings, allowing him to post on anyone’s timeline without consent.
Under normal circumstances, Shreateh would have been compensated for his findings, but his formal report to the company was ignored. After a couple follow up emails without an acceptable acknowledgement, the hacker decided to take matters into his own hands, using the bug to post a message directly to Mark Zuckerberg’s timeline.
According to Mashable, Shreateh originally tested out the exploit on a former college classmate of Zuckerberg’s, Sarah Goodin. His practice run proved to be successful and he later linked this post in his email to a Facebook security employee known only by the name Emrakul. Unfortunately, Emrakul isn’t friends with Goodin and thus couldn’t see the vulnerability. After sending a second and third email to clarify the exploit and describe how it operates, Emrakul responded by saying, “I am sorry this is not a bug”.
It was at this point that Shreateh’s patience started to wane, and he made the following post to Zuckerberg’s wall: “Sorry for breaking your privacy and post to your wall ... but a couple of days ago, I found a serious Facebook exploit”.
So Shreateh finally captured the attention of Facebook and was rewarded for his efforts? Although Facebook quickly jumped into action and did patch the bug on Thursday, Shreateh's actions were met with disapproval rather than praise.
By posting on Zuckerberg’s wall and acting on his exploit, Shreateh violated Facebook’s responsible disclosure policy, which prohibits hackers from using newly discovered bugs on the accounts of others without permission . As a result of these actions, his Facebook account was temporarily suspended “as a precaution”, and needless to say, he won’t be provided with any monetary compensation for his finding.
Facebook's Matt Jones reiterated this fact to Hacker News, saying “Exploiting bugs to impact real users is not acceptable behaviour for a white hat.. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.”