Trouble with Facebook that investigations by technicians who pointed out vulnerabilities on Facebook and earned rewards are overkill

ByMike Mozart

According to the severity of bugs and the high level of technology, Facebook is aimed at those who report service vulnerabilities and bugsProgram to pay the rewardWe are striving to improve the service by introducing it. Using this program, a technician reported bugs in Instagram under Facebook, got a reward for recognition of the bug report's achievement, but deviated from the legitimate range in the process of investigating the bug afterwards It is developing trouble such as refusing to pay reward after that as there is an act to do.

EXFiLTRATED
http://www.exfiltrated.com/research-Instagram-RCE.php

Bug Bounty Ethics
https://www.facebook.com/notes/alex-stamos/bug-bounty-ethics/10153799951452929

Wesley Weinberg, a technician working at a security company Synack, found a vulnerability that could potentially be remote-code executed in Instagram under Facebook. In Synack, he was allowed to participate in the bug finding program at the free time of the employee and receive a bonus, so he said he reported the vulnerability according to Facebook's bug discovery program.

Due to the credibility of this report, Mr. Weinberg was admitted to receive a $ 2,500 reward from Facebook. In addition, it is said that only a few percent of the total report can be a narrow gate that you can receive payment of reward with recognition of credit with Facebook bug discovery program.

However, after discovering the vulnerability, Mr. Weinberg continued investigation and succeeded in getting API secret key of AWS used by Instagram. It became possible to impersonate as an employee or user of Instagram and even get data.


Mr. Weinberg also reported to Facebook about additional vulnerabilities found, but from Facebook, "From now on, in the process of investigation, we will not be able to compromise privacy violations, data corruption, interruption of our services or quality I expect to seek to follow conscientious conscience "and eventually received a reply that the additional vulnerability is information not applicable to payment of incentive payment.


Mr. Weinberg believes that this correspondence is unjust because the provision of Facebook's bug reporting program prohibits only actions that cause the service to go down and other actions are not specified. In other words, it is argued that acts that technicians intrude into the system to discover bugs or vulnerabilities according to the quest for inquiries should not be criticized.

However, Facebook's Alex Stormos CSO is rebutting on the official blog while clarifying the history of trouble with Mr. Weinberg. In accordance with Stormos CSO, initially, Instagram's vulnerability reported by Mr. Weinberg entered by revealing the Ruby-based administrator panel, and in addition to Mr. Weinberg, several known reports were reported Although it was information, Facebook has informed of payment of $ 2,500 to express appreciation to the report. At this point we evaluate that Mr. Weinberg's behavior was behavior within the program's assumption as being from a proper sense of ethics.

However, Mr. Weinberg discovers the API key, accesses the S3 bucket, uses the key to download the data on the technology and the system at hand, and such behavior is not allowed as the behavior permitted by the bug finding program It is appropriate and "I can not make a bad precedent that admitting acts that would unjustly obtain data, even if it is for research and research nomenclature, which is a bug discovery." By the way, Mr. Weinberg is blogging that he has already destroyed all information gained from the Instagram server.

Besides such arguments, Mr. Weinberg said, "I pressed Stormmus to call the president of Synack where I worked to call and not press legal measures again." "Before making such a call Mr. Stormos does not contact himself directly "" This is because he looks down on himself as a low-level technician, "he asserted. In response to this, Stormos CSO is counting on counterfeiting that "I called the president of Synack is true, but I never hinted at the pursuit of legal responsibility nor stressed it."