Crowdsourced Fund Raises Over $10,000 For Palestinian Hacker After Facebook’s Refusal To Pay Up

After Facebook turned its back on the Palestinian hacker who exposed a bug on the social networking site, a crowdsourced fund has raised more than $10,000 to support the bug hunter.

Individuals who find software bugs on the world's largest social networking site, Facebook, are rewarded by the company under its "Bug Bounty" program, started in 2011, with $500 or more. But the Palestinian hacker who got into their site was not compensated for his efforts.

The exposure of the bug came in a unique way. At first, the Palestinian security researcher, Khalil Shreateh, found and reported a vulnerability that allows users to post updates on non-friends' walls, and got ignored. He then reported the bug by posting a statement on a girl named Sarah's profile. The Facebook White Hat team responded saying "Sorry, this is not a bug." Finally, Shreateh hacked Facebook CEO Mark Zuckerburg's timeline to report the bug and got a response from the security team , which hastened to fix the vulnerability.

But Shreateh was denied his reward for discovering the flaw as he violated the terms and conditions of the bug bounty program, according to Facebook.

Facebook plainly states that in an event any individual finds a software bug, he/she is not supposed to try it on live Facebook accounts. Instead, one is supposed to create one or more test accounts isolated from the Facebook network and carry out the tests.

Although the social networking giant stuck by its rules and regulations, the decision was not accepted by a lot of people.

BeyondTrust CTO Marc Maiffret created a crowdsourced fund, GoFundMe, to raise some cash to acknowledge the Palestinian bug hunter's efforts. The campaign started Monday, quickly gained worldwide attention and raised $10,830 (which rose from $10,670 at the time of writing). The campaign creator himself donated a generous $3,000. eEye Digital Security founder Firas Bushnaq matched it by funding $3,000.

"We will not change our practice of refusing to pay rewards to researchers who have tested vulnerabilities against real users," chief security officer Joe Sullivan said in a blog post. "It is never acceptable to compromise the security or privacy of other people."