A well-known security researcher named Wes Wineberg has found himself at the center of a conflict with Facebook over just how far bug bounty hunters can—and should—go.
In October, Wineberg discovered a hole that allowed him to run code remotely and crack the passwords of several employees. Using that info, he was able to access Instagram server files.
“To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” he said. “With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, private pictures and data.”
He reported one of the vulnerabilities to Facebook and received a $2,500 reward, but when he reported two of the other security flaws Facebook became angry with him, accusing him of going beyond the bounds of “ethical behavior.” Facebook’s actions have angered many in the security community, who feel that Facebook needs to be more clear in its expectations of bug hunters. For instance, if the site doesn’t want researchers to dig deeper after they’ve already discovered a flaw, Facebook needs to spell that out. However, despite the arguments, Facebook did fix the underlying flaws that Wineberg pointed out.