Facebook admits failure in bug report

Facebook's CSO admits in a post that the company didn't handle Khalil Shreateh's bug report very well and has worked to improve the company's bug bounty program procedures. Shreateh deserves some blame too.

Facebook's Chief Security Officer, Joe Sullivan, has posted a reaction to the recent incident in which the company's whitehat program blew off a significant bug report, after which the submitter used the bug to post on Mark Zuckerberg's wall to demonstrate it .

I personally think that Sullivan concedes every point I made in my own column about the company's behavior: "He tried to report the bug responsibly, and we failed in our communication with him."

Sullivan points out, and is undoubtedly correct, that the vast majority of bug reports that come to their bug bounty programs are not bugs at all. Clearly Khalil Shreateh, the bug submitter, was not providing sufficient information for them to evaluate the bug, but the Facebook whitehat guys who fielded his submission dealt with it unintelligently and didn't ask Shreateh any worthwhile questions.

Sullivan only hints at it late in his post, but some blame for what happened clearly lies with Shreateh. As Sullivan points out (and I was unaware of this when I wrote my first story) Facebook has a facility for bug submitters to create test accounts in order to demonstrate bugs. Instead, Shreateh chose to use an unconnected 3rd party's account to demonstrate it, something which is clearly in violation of the bug bounty policy.

What's needed here is a script for the whitehat guys. When someone submits a bug and it's not clearly submitted with proper procedure, they need to remind the submitter of what the policies are impress on him that they need to be followed. But Facebook already looks bad enough in this, so Sullivan doesn't dump on him directly.

I still wish they could find a way to pay Shreateh, who seems to have meant well but lacks a sense of propriety in responsible submission, but perhaps that would open them up to complaints about other denied bounties.

In any case, a crowdsourced bounty program specifically for Shreateh , led by BeyondTrust CTO Marc Maiffret, has already collected over $10,000. starting with $3,000 each from Maiffret and security entrepreneur Firas Bushnaq.

If the end result of this is that Shreateh gets his money and Facebook's bounty program improves its procedures then it's a good result.