Facebook Bug Finder Gets $12k Reward From Community Fund

A researcher who highlighted a Facebook bug by posting on CEO Mark Zuckerberg’s page, but wasn’t rewarded by the social network, is to receive over $12,000 thanks to a crowdfunding effort.

CTO of security firm BeyondTrust, Marc Maiffret, kicked off the campaign last week, hoping to raise $10,000 for Khalil Shreateh but the total exceeded that and has continued to rise to hit $12,058 at the time of publication. Contributions are still pouring in today.

Shreateh discovered a Facebook bug that let anyone post on any user’s timeline. Having told Facebook about the vulnerability through the typical channels, he received no response.

Facebook bug bounty denied

Frustrated, he took to Zuckerberg’s page to prove the flaw worked, having already done the same to another Facebook member who went to the same college as the CEO.

The researcher was then thrown off of Facebook, as he had broken the terms of service by writing on walls he was not authorised to access.

Facebook said that was not “acceptable behaviour”, whilst claiming Shreateh was not clear enough in his initial emails for the company to have addressed the flaw. It said it would not be paying out a bug bounty as it usually does.

But the industry has responded by supporting Shreateh and rewarding him more richly than Facebook would have done.

“Khalil Shreateh found a vulnerability in Facebook.com and, due to miscommunication, was not awarded a bounty for his work,” Maiffret said.

“Let us all send a message to security researchers across the world and say that we appreciate the efforts they make for the good of everyone.

“All proceeds raised from this fund will be sent to Khalil Shreateh to help support future security research.”

What do you know about Internet security? Find out with our quiz!