story
Almost all other companies would say the bug was out of scope, thank you for reporting it, and maybe send you a t-shirt.
Honestly, resume uploads are unlikely to be worth much. The resume analysis software either. What information there is worth anything to an unreputable buyer?
However, I'm unsurprised to find such reasoning on HN.
There's more than enough information on what Facebook tends to give out on various types of vulns. I wouldn't be surprised if there's a website out there that aggregates this sort of information. Even if you don't know precisely what you'll get, you'll at least have a rough idea.
> However, I'm unsurprised to find such reasoning on HN.
Honestly, as someone who is decidedly not a capitalist usually: either the bounty is a token "thank you", or it's a capitalist-minded attempt to get people to report vulns rather than ignore them or sell them on the market. In the former case, the amount doesn't really matter so long as it's not insulting, and in the latter, my argument that if it gets people providing vulns, it's enough, applies.
It's specifically not "payment", because payment-for-services requires that services were actually and specifically requested. It's a reward or a "thank you", and should be thought of as such - perhaps similarly to a reward for finding a lost kitten.
But, I think it was pushed because it was Sunday and Careers team was not on site to properly/permanently fix the bug.
But hey, I'd break all kinds of functionality temporarily to make sure this exploit - which as is explained, looked worse than it ended up being, wasn't actually as bad as (or worse than) it did look.
