X
Tech

Facebook bug hunter paid $10K by community, not company

With Facebook deciding not to reward a young bug hunter, others in the information security community have decided to provide him with a reward out of their own pockets.
Written by Michael Lee, Contributor

After receiving no reward for his efforts to help identify a vulnerability in Facebook, Palestinian bug hunter Khalil Shreateh has finally been paid his dues, but not by the social networking site.

Shreateh's vulnerability has attracted a lot of controversy after Facebook failed to recognise his report as a valid bug, and in frustration, he took to using it to post content on Mark Zuckerberg's timeline to prove his point, saying he had "no choice" but to do so.

Although Facebook subsequently contacted him to find out further details of how he exploited the vulnerability, they also said that he broke the terms and conditions of its bug bounty program and was therefore not eligible to receive a reward.

Taking matters into his own hands, BeyondTrust CTO Marc Maiffret decided that Shreateh deserved to be rewarded for his efforts, and set up a crowdsourced fund to raise $10,000 for the young hacker.

Maiffret donated $3,000 to start the fund off, which was matched by $3,000 from eEye Digital Security founder Firas Bushnaq. eEye was acquired by BeyondTrust in May 2012.

The remainder of the fund, however, has been supported by over $4,000 in donations from over 100 individuals. At the time of writing, the fund has just exceeded its $10,000 goal.

Facebook's own bounty program offers rewards starting from $500, but has no maximum ceiling for payments. Its security response chief Ryan McGeehan has been quoted as saying that if a million-dollar bug was found, the company would pay it out.

The bounty program also advises participants not to test vulnerabilities on live Facebook accounts, asking them to set up one or more special test accounts. These accounts are separated from the rest of the network, and can only be used to interact with other test accounts.

Editorial standards