Security is an important factor in much of today’s software, and it’s something which companies like Google and Facebook take very seriously. Facebook-owned Instagram is no different and values privacy and security as a high priority. Like many larger tech companies, Facebook offers bug bounties as part of a special program to people who discover and alert them to vulnerabilities in the software, so when independent security researcher Wesley Weinberg found some vulnerabilities within Instagram infrastructure, he naturally emailed Facebook about the security issues over the span of a few weeks and in stages as he found multiple security holes at varying times. According to a blog post from Weinberg earlier in the month, Facebook’s Chief Security Officer Alex Stamos contacted the company he is contracted to work for, known as Synack, and apparently threatened legal action over the matter.
It didn’t begin this way of course, as Weinberg’s first bug report was met with a reported $2,500 reward. Weinberg states that the security issues he uncovered would technically allow him to gain complete control of Instagram, including key details like SSL certificates and private keys for the website. After reporting the last two vulnerabilities, Weinberg notes that this is where Stamos got in contact with Synack’s CEO Jay Kaplan. The response from Facebook has garnered some negative attention from the community through comments on Weinberg’s blog post, where some users are stating that Facebook needs to be more clear with the guidelines surrounding their bug bounties.
The apparent reason for this reaction is due to supposed comments from Stamos in contact with Weinberg’s employer where he states that “he did not want to get Facebook’s legal team involved, but he was unsure if it was something he needed to go to law enforcement over,” also calling the vulnerabilities Weinberg reported “trivial” and stating that they were “of little value.” All of these statements were of course written about in Wienberg’s blog post, which resulted in a public post from Stamos on the ethics of bug bounties. In Stamos’ public note, he reportedly mentions that Weinberg acted unethically by writing about the situation on his blog while also threatening to publicly disclose the details about the private keys and other security data. The truth of the details may not ever be clear, but the situation does draw attention to the way these kinds of things are handled.