Modernizing Authentication — What It Takes to Transform Secure Access
Shreateh tested the bug on Sarah Goodin, a friend of Facebook CEO Mark Zuckerberg, then reported the bug via Facebook's vulnerability reporting page. He got an initial reply stating, "I dont see anything when I click link except an error." Then, when he followed up, he was informed," I am sorry this is not a bug."
He then posted a statement on Mark Zuckerberg's timeline stating, "Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team ."
That got Facebook's attention, but not in the best way -- Facebook disabled Shreateh's account. They later reactivated his account, but informed him that he wasn't eligible for a bug bounty because he had violated the site's Terms of Service.
And those terms are very clear -- on the bug bounty page, Facebook states, "Please use a test account instead of a real account when investigating bugs. ... Do not interact with other accounts without the consent of their owners."
Later, Facebook Chief Security Officer Joe Sullivan stated, "We will make two changes as a result of this case: (1) We will improve our email messaging to make sure we clearly articulate what we need to validate a bug, and (2) we will update our whitehat page with more information on the best ways to submit a bug report. We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users."