This researcher claims Facebook threatened him for reporting bugs

A spat erupted last week between Facebook and a security researcher who reported a vulnerability in the infrastructure behind its Instagram service. In the wake of having reported the bug, Wesley Wineberg, a contract employee of security company Synack, accused Facebook of trying to threaten his job and intimidate him. Facebook says, well, a number of things: that Wineberg was one of several to discover the vulnerability, that the company thanked him and offered him $2500 (as is “standard”, it says), that Wineberg wanted more than that, and that the researcher then crossed the line of responsible, ethical bug reporting to “rummage” through data. The starting payout for bugs in Facebook’s bounty program is $500. In an extensive post about the situation, Facebook chief security officer Alex Stamos on Thursday wrote that Facebook offered to pay Wineberg $2500 “despite this not being the first report of this specific bug.” Up to the point when Facebook offered him $2500, everything Wineberg did was “appropriate, ethical, and in the scope of our program,” Stamos says. Both parties agree on one thing: from there, it went downhill fast. The way Stamos tells it, Wineberg used the flaw to “rummage around” for useful information, which he found – in spades.