Facebook admits failure in bug report

Facebook admits failure in bug report

Summary: Facebook's CSO admits in a post that the company didn't handle Khalil Shreateh's bug report very well and has worked to improve the company's bug bounty program procedures. Shreateh deserves some blame too.

TOPICS: Security

Facebook's Chief Security Officer, Joe Sullivan, has posted a reaction to the recent incident in which the company's whitehat program blew off a significant bug report, after which the submitter used the bug to post on Mark Zuckerberg's wall to demonstrate it.

I personally think that Sullivan concedes every point I made in my own column about the company's behavior: "He tried to report the bug responsibly, and we failed in our communication with him."

Sullivan points out, and is undoubtedly correct, that the vast majority of bug reports that come to their bug bounty programs are not bugs at all. Clearly Khalil Shreateh, the bug submitter, was not providing sufficient information for them to evaluate the bug, but the Facebook whitehat guys who fielded his submission dealt with it unintelligently and didn't ask Shreateh any worthwhile questions.

Sullivan only hints at it late in his post, but some blame for what happened clearly lies with Shreateh. As Sullivan points out (and I was unaware of this when I wrote my first story) Facebook has a facility for bug submitters to create test accounts in order to demonstrate bugs. Instead, Shreateh chose to use an unconnected 3rd party's account to demonstrate it, something which is clearly in violation of the bug bounty policy.

What's needed here is a script for the whitehat guys. When someone submits a bug and it's not clearly submitted with proper procedure, they need to remind the submitter of what the policies are impress on him that they need to be followed. But Facebook already looks bad enough in this, so Sullivan doesn't dump on him directly.

I still wish they could find a way to pay Shreateh, who seems to have meant well but lacks a sense of propriety in responsible submission, but perhaps that would open them up to complaints about other denied bounties.

In any case, a crowdsourced bounty program specifically for Shreateh, led by BeyondTrust CTO Marc Maiffret, has already collected over $10,000. starting with $3,000 each from Maiffret and security entrepreneur Firas Bushnaq.

If the end result of this is that Shreateh gets his money and Facebook's bounty program improves its procedures then it's a good result.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • All's well that ends well... but

    Maybe the submitter isn't 100% competent in the English language. Facebook, admit he did you a favour albeit through the Back door and move on. Just have better screening policies in place.
    Desperate Dan
  • Pervasive...

    By Internet standards, Facebook should be a "mature" operation by now, but — the organization hasn't yet managed to outgrow their founder's (lack of) ethics, and they remain persistently and pervasively "tone deaf" to public opinion; stay tuned for more gaffs, soon…
  • How tacky to keep blaming the messenger

    In a sane world Facebook would use its billions to get its software and its procedures and its personnel right.
    Sorry, might have to have paid interns to do that.
  • this might hurt them in the future.

    If he is poor and desperate for money.. it may be that the next time he finds a bug like this, he may go the way that actually makes him money and sell it to criminals.

    desperate is desperate.. he will do what he has to, to get paid. Facebook may not like the results of that next time around if they don't give him something. He did try to do it right, but not speaking English well is apparently a big barrier.