undefined | Better HN

0 pointsprawn12y ago0 comments

Pay the man.

He stumbled around a bit trying to work out how to help, but he brought a flaw to your attention in what he thought was a polite way. If unleashed, this bug could've been used to wreak havoc on Facebook and damage the company's reputation. $500 is the very least FB should be paying.

0 comments

nly12y ago

Exactly, no harm was intended or done. Somebody posting on your wall doesn't even really impinge on your privacy (Hell, for all intents and purposes Facebook do it for profit). Whatever reward, perhaps reasonably reduced, they pay this guy will be cheaper than any bitterness earned from sitting behind a wall of pedantry with big fat righteous grins on their faces.

If they bothered to look at his profile (it's public), they'd see he looks to be a great fan and tinkerer on the Facebook platform.

jaequery12y ago

after being treated this way, i doubt this man (probably everyone who read this) will ever report bugs to facebook anymore.

mohamedmansour12y ago

Agreed, Facebook will not be safe anymore. All these white hackers will sell their exploit to black hackers.

khalilshr12y ago

i said that many times , agreed

lvs12y ago

You're doing good work. Don't be discouraged. You clearly have some talent, and you can do positive good with it. Large companies are wedded to their rules, terms, and systems. As you work more on these sort of things, the process will get easier. As you can see, there are many supportive people here.

jaequery12y ago

if this bug, does what i think it does, this man if met with certain group of people, had the chance to make millions out of this bug.

tptacek12y ago

Is it even lawful for them to pay people that knowingly invade other people's accounts?

losvedir12y ago

Why wouldn't it be? At worst, wouldn't facebook be the aggrieved party, and not another user of facebook?

Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.

If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?

Killah91112y ago

The bank example's a tad off when trying to draw a correlation to this particular case. I do agree with your sentiment though. I would reword it and say: if someone pointed out to a stubborn bank manager who refused to listen that the vault and my h of the bank's money was easily accessible, by taking out afew dollars from the bank & handing it to him. The a very embarrassed manager would be right to reward the person for showing the institutions flaw and not robbing them blind.

They might even throw a little fanfare his/her way to send a message that the bank appreciates being told and not robbed blind. (Especially given that they're a "community bank" built by pioneers and not a monolithic marble statue institution :-P)

orclev12y ago

Posting something on someones wall isn't so much invading as it is leaving a sticky note on their door. By that metric UPS invades peoples homes quite regularly when they fail to deliver a package. Had he actually accessed any non-public details of a users account that might be one thing, but the only data he was able to view was the post he had created himself. In short, it was his data, from his account, it just happened to be located on someone else's page. Honestly it's not even that bad of a vulnerability, more like a mild nuisance.

lazyjones12y ago

They will pay for reporting of the bug. What's with the apparently intentionally inaccurate description of his actions? All he did was post to someone's wall, that's hardly "invading someone's account".

loceng12y ago

He posted something to them - he didn't access them.

tptacek12y ago

I chose my words carefully.

1 more reply

j / k navigate · click thread line to collapse

0 comments

nly12y ago

If they bothered to look at his profile (it's public), they'd see he looks to be a great fan and tinkerer on the Facebook platform.

jaequery12y ago

after being treated this way, i doubt this man (probably everyone who read this) will ever report bugs to facebook anymore.

mohamedmansour12y ago

Agreed, Facebook will not be safe anymore. All these white hackers will sell their exploit to black hackers.

khalilshr12y ago

i said that many times , agreed

lvs12y ago

jaequery12y ago

if this bug, does what i think it does, this man if met with certain group of people, had the chance to make millions out of this bug.

tptacek12y ago

Is it even lawful for them to pay people that knowingly invade other people's accounts?

losvedir12y ago

Why wouldn't it be? At worst, wouldn't facebook be the aggrieved party, and not another user of facebook?

Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.

If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?

Killah91112y ago

orclev12y ago

lazyjones12y ago

loceng12y ago

He posted something to them - he didn't access them.

tptacek12y ago

I chose my words carefully.

1 more reply

j / k navigate · click thread line to collapse