Facebook initially denied that the researcher had discovered a bug.
A Palestinian security researcher said he was ‘forced’ to post a bug report on Mark Zuckerberg’s Facebook timeline after the social network’s security team denied he had discovered a critical vulnerability.
Khalil Shreateh twice reported the fault, which allows people to post on someone’s wall even if they are not on the user’s friends list, to Facebook but he received a message from site’s security team saying: "Sorry, this is not a bug."
He had reported the error through Facebook’s security feedback page, which offers a minimum reward of $500 for each real security bug report.
Shreateh said he then had no choice but to post the vulnerability details directly onto Zuckerberg’s page.
Just minutes after the post, he received a response from a Facebook engineer requesting the details about the vulnerability.
His account was temporarily blocked and he has been told he will not be paid for reporting it because his actions violated the website’s terms of service.
Facebook’s White Hat security feedback programme sets no reward cap for the most "severe" and "creative" bugs, but it sets a number of rules that security analysts should follow in order to be eligible for a cash reward.
Facebook has since unblocked Shreateh’s account and expressed hope that he will continue to work with Facebook to find more bugs.