A SECURITY RESEARCHER posted a Facebook security issue directly to Mark Zuckerberg's public Facebook wall.
Khalil Shreateh has written about the incident on his blog. He said that he reported the bug to the Facebook bounty hunting service but was denied acknowledgement and cash payment because it was not a "bug".
"Days ago I discovered a serious Facebook vulnerability that allows a facebook user to post to all facebook users timeline even [though] they are not in his friend list," he said, explaining that he attempted to inform the company about the security problem more than once.
Facebook at first replied to the security researcher's email with a glib response. "I am sorry this is not a bug," it said.
Shreateh's response was, "I replay back and I said that I has no choice than to post to Mark Zuckerberg's timeline," an act that he did indeed carry out.
Facebook then took more notice and emailed the security researcher about what he had done. It cancelled his Facebook account and told him that he had broken its terms of service and would not be getting paid.
The account has since been reinstated, and Shreatah has posted the response that he got from Facebook. It repeated that it would not be parting with any cash.
"Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions," it said in the published email.
"We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site. We have now re-enabled your Facebook account." µ
Sign up for INQbot – a weekly roundup of the best from the INQ