Shreateh tested the bug on Sarah Goodin, a friend of Facebook CEO Mark Zuckerberg, then reported the bug via Facebook’s vulnerability reporting page. He got an initial reply stating, “I dont see anything when I click link except an error.” Then, when he followed up, he was informed,” I am sorry this is not a bug.”
He then posted a statement on Mark Zuckerberg’s timeline stating, “Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports i sent to Facebook team .”
That got Facebook’s attention, but not in the best way — Facebook disabled Shreateh’s account. They later reactivated his account, but informed him that he wasn’t eligible for a bug bounty because he had violated the site’s Terms of Service.
And those terms are very clear — on the bug bounty page, Facebook states, “Please use a test account instead of a real account when investigating bugs. … Do not interact with other accounts without the consent of their owners.”
Later, Facebook Chief Security Officer Joe Sullivan stated, “We will make two changes as a result of this case: (1) We will improve our email messaging to make sure we clearly articulate what we need to validate a bug, and (2) we will update our whitehat page with more information on the best ways to submit a bug report. We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users.”