Tuesday, August 20, 2013

Why Facebook can't pay the bounty -- but should anyway

There's two sides to every story. There's more to the story of Facebook's snub of Khalil Shreateh, the security researcher who found a bug in the Facebook.

Firstly, it's not necessarily Facebook's fault that they failed to recognize the bug. Researchers, especially non English speakers, have horrible communication skills. They might have the best bug in the world but their description of it can be incomprehensible. That Kalils's emails were rejected is more likely Kalil's fault rather than Facebooks.

The situation is complicated, though. On one hand, companies like Facebook go through stages of "denial" where they look for reasons to ignore bugs, even when they have a bounty program, maybe especially because they have a bounty program. On the other hand, researchers tend to be passive aggressive. They want the company to reject their bug report, to help justify their world-view that companies are evil. Therefore, researchers often do the least possible to report a bug, in order to ensure that things get messed up.

In other words, both sides work toward maximum misunderstanding. When things go awry, it's hard to figure out who is to blame.

That Kalil then used the bug to hack the Zuck's account causes a legal problem. Technically, it's a violation of the law. That means Facebook cannot reward such behavior, even if they wanted to: their own lawyers won't let them. (h/t @cipherlaw). No matter who was at fault in the original misunderstanding, Facebook still can't pay the bounty.

But, Facebook has a principle they call the "Hacker's Way". A key feature of this Way is that "code wins arguments". That's just what Kalil did -- his English skills sucked, his coding skills rocked, and it's his code that won the argument. Not paying the bounty might be the proper thing to do from a legal perspective, but by repudiating what Facebook stands for.

I mention "principles" a lot on this blog. Principles mean nothing when the going is easy, what matters is when the going gets tough. Standing up for your principles, even in the face of difficulty, is what proves what you actually stand for. Either Facebook stands behind the Hacker's Way or they don't. The proper question for the lawyers isn't "should we reward Kalil" but "how can we reward Kalil".


lttg said...

« Researchers, especially non English speakers, have horrible communication skills. »

Just one thing: maybe non English researchers have horrible communication skills... But I think it is simplistic.

A multinational company like Facebook should be able to read technical messages in other languages​​. Especially when the service is available in this language...

Anonymous said...

I would agree with you if I thought Facebook actually stood for anything anymore. The Hackers Way my ass.