> how exactly do you propose that they write a policy that compensates people for violating the security of their users? Not the security of Facebook, but the integrity of their actual users.
Otherwise, you should make some good faith effort to not assume devious intentions on someone making a good faith effort to report problems.
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
Technically, according to the security person at Facebook, it wasn't a bug. When he did the same thing again on Mark Z's account, it suddenly became hacking. Yeah, he didn't follow a procedure that wasn't available to him in his native language, but he made a good faith attempt to report the bug, and did so several times.
> But good intentions aren't always enough.
Several attempts to contact them despite being told the actions he was taken was not a bug despite clearly explaining why it was?
In the appropriate language: https://news.ycombinator.com/item?id=6231153
Otherwise, you should make some good faith effort to not assume devious intentions on someone making a good faith effort to report problems.
> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
Technically, according to the security person at Facebook, it wasn't a bug. When he did the same thing again on Mark Z's account, it suddenly became hacking. Yeah, he didn't follow a procedure that wasn't available to him in his native language, but he made a good faith attempt to report the bug, and did so several times.
> But good intentions aren't always enough.
Several attempts to contact them despite being told the actions he was taken was not a bug despite clearly explaining why it was?