Companies like Facebook and Google take security so seriously that they’re willing to pay “bug bounties” to people who discover vulnerabilities in their products and report them. The process is fairly simple, but there’s not much in the way of guidelines for how abnormal situations or potential issues are handled, as evidenced by last week’s dispute between a security research by the name of Wesley Wineberg and Facebook chief security officer Alex Stamos. Not all the details are available, but the gist of the situation is that Wineberg discovered a number of dangerous Instagram vulnerabilities and reported them to Facebook, which eventually proceeded to threaten him with legal action.
A spat erupted last week between Facebook and a security researcher who reported a vulnerability in the infrastructure behind its Instagram service. In the wake of having reported the bug, Wesley Wineberg, a contract employee of security company Synack, accused Facebook of trying to threaten his job and intimidate him. Facebook says, well, a number of things: that Wineberg was one of several to discover the vulnerability, that the company thanked him and offered him $2500 (as is “standard”, it says), that Wineberg wanted more than that, and that the researcher then crossed the line of responsible, ethical bug reporting to “rummage” through data. The starting payout for bugs in Facebook’s bounty program is $500. In an extensive post about the situation, Facebook chief security officer Alex Stamos on Thursday wrote that Facebook offered to pay Wineberg $2500 “despite this not being the first report of this specific bug.” Up to the point when Facebook offered him $2500, everything Wineberg did was “appropriate, ethical, and in the scope of our program,” Stamos says. Both parties agree on one thing: from there, it went downhill fast. The way Stamos tells it, Wineberg used the flaw to “rummage around” for useful information, which he found – in spades.