Shreathe’s initial report described a bug that allows you to post on anybody’s wall, even if they are not your friend. To demonstrate, he posted a link on Sarah Goodin’s wall, a college friend of Mark Zuckerberg. A member of the Facebook Security team clicked the link, received an error message, and told Khalil that what he had found was in fact not a bug at all. So Khalil took his efforts to the next level, politely posting his link on Zuckerberg’s own wall and exploiting the bug once more. This time, he got a heavy response from Facebook engineers. However, Facebook denied Khalil a reward for finding the bug. Typically, security researchers are paid upwards of $500 for responsibly filing critical bug reports. Khalil did, in fact, not follow Facebook’s disclosure rules, but he was courteous in his demeanor, responsible in his actions, and did not sell his bug to spam advertisers. Surely a company that pays out over $1 million to bug reporters annually can give Khalil a little something for his efforts.
