Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him “this was not a bug,” according to an email that Shreateh shared.
Shreateh says he tried a second time to warn Facebook and when that didn’t work, he used the bug to post a message to Mark Zuckerberg’s Wall.
The message said, “Sorry for breaking your privacy … but a couple of days ago, I found a serious Facebook exploit” and explained that Facebook’s security team wasn’t taking him seriously.
Here’s a photo of the message from Shreateh.
In a post on Hacker News, Matt Jones from Facebook’s security team said that once the team understood the bug they acted quickly, “We fixed this bug on Thursday.”
They also temporarily suspended Shreateh’s account and said they wouldn’t pay him the bounty fee because, by posting to Zuck’s account, he violated Facebook’s terms of service.
Read more: Business Insider
