Vulnerabilities detected by a blogger have put him at odds with Facebook and Instagram and underscores the uneasy balance between exposing flaws for a financial reward, but then being told to not go public with those findings.
Wesley Wineberg, who works full time as a security engineer for Synack, said in a recent blog post he's been censured due to his participation in the Facebook bug bounty program, for which he initially was told he qualified to receive $2,500. Wineberg chronicles the saga over multiple pages since October.
At issue is whether Wineberg accessed Instagram employee and user data.
Facebook CSO Alex Stamos on Dec. 17 accused Wineberg of non-ethical behavior on his own Facebook blog by “exfiltrat[ing] unnecessary amounts of data and call[ing] it a part of legitimate bug research. Intentional exfiltration of data is not authorized by our bug bounty program, is not useful in understanding and addressing the core issue.”
Wineberg responded on Dec. 18 in his blog “Exfilitrated”: “I continue to hope that security research will be given appropriate recognition and legal protections. I believe that it's the infosec community's job to lead by example. I don't think that threatening security researchers should ever be acceptable, and I believe that as a community we are better than that … I'd like to think I'm on the good guys' side when it comes to security research, so hopefully my findings will be seen in that light.”