As the past of being white hacker shows, keep hacking but shut up! Because even if you tell the author you find a way to get into their system and you havent cause any damage, they sure will come after you in a legal way.
In example herein, not only time after time the author proves that there are serious holes in FB auth system, but is also very happy to blog about it. You see, FB is publicly traded company. The management answers to stockholders and the board. If some Joe Hacker keeps finding holes in the system, someone somewhere reading that blog may be thinking of abandoning the FB platform due to it security layer looking like a swiss cheese. And management doesnt like that, because less users == less eyeballs for $.
My gut tells me, if this guy did not get offer to work for Facebook just yet, it means they are building a lawsuit against him, as you perfectly know FB TOS forbids anyone from fiddling with any of their URLs.
I work at facebook on our whitehat program. To clear this up we have not, and would never come after someone properly submitting bugs to us. Quite the opposite we are very appreciative when someone takes the time to find something and send it our way. Everything is aligned around rewarding responsible disclosure instead of punishing its inverse.
Nir in particular is one of our best supporters (rough rankings https://www.facebook.com/whitehat/thanks/) we certainly have no intention to sue him or anyone submitting bugs to us. He even stopped by our office last week to talk about bugs.
Because of the volume of reports we have settled on a scan every new item quickly, categorize it into severity and then respond. As you say it is a minor privacy issue so it looks like it went into a lower-pri area. I will make sure you hear back soon.
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
Only question -- who decides on what is "reasonable time", because something tells me its not a hacker, its Facebook itself.
"reasonable whatever" is often used in laws/courts/contracts. Lawyers and judges are used to interpreting this. If Facebook were to sue you, you could start talking about it as part of your defence.
Additionally, Facebook needs to be seen to be reasonable and have a proper 'whitehat' policy. If they start being mean and dictatorial here, then there will be a breakdown in social trust. People won't report bugs to Facebook, people will sell vulnerbilities on the black market. People will release exploits before telling Facebook. It will, eventually be bad for Facebook.
I'm under the impression that FB's whitehat program is active enough that submitters don't experience the notification black hole that has required crackers to raise awareness by broadcast elsewhere. That is, "reasonable" has a way of taking on concrete meaning when the site/company actually responds.
I imagine FB requests that details of the vulnerability are kept private until they have informed the discoverer that they are happy for it to be published.
As the past of being white hacker shows, keep hacking but shut up! Because even if you tell the author you find a way to get into their system and you havent cause any damage, they sure will come after you in a legal way.
In example herein, not only time after time the author proves that there are serious holes in FB auth system, but is also very happy to blog about it. You see, FB is publicly traded company. The management answers to stockholders and the board. If some Joe Hacker keeps finding holes in the system, someone somewhere reading that blog may be thinking of abandoning the FB platform due to it security layer looking like a swiss cheese. And management doesnt like that, because less users == less eyeballs for $.
My gut tells me, if this guy did not get offer to work for Facebook just yet, it means they are building a lawsuit against him, as you perfectly know FB TOS forbids anyone from fiddling with any of their URLs.