Bug hunting turns ugly as researcher gets in a spat with Facebook
Bug hunting in light of bug bounties provided by tech companies have been a relatively straightforward affair, at least for us on the outside of the scene. On the inside, though, things can look to be a place more confusing than the Wonderland Alice found herself in, as a recent spat between a bug hunter and Facebook reveals.
Wes Wineberg was on his usual bug hunting business when he discovered and disclosed to Facebook some issues with Instagram on October 21. Wineberg detailed that he and Facebook’s security team had their usual exchange for a bit when suddenly Alex Stamos, Facebook’s CSO contacted Wineberg’s contract employer, referencing legal and criminal actions.
Long story short, Alex Stamos says that Wes Wineberg went too deep into the rabbit hole, and in exposing vulnerabilities, also gained access to private information, which makes this bug bounty void. Stamos maintains that this stance by Facebook will not be changed as to not send a precedent for other bug hunters to go further than they need to, to the extent of accessing private information. Wineberg, on the other hand, says he’s done everything by the book, and is frustrated that not only was he not awarded the bounty for the bug, he was also intimidated with references to legal and criminal actions for his bug reporting.