Facebook follows Paypal in trying to turn white hats black

A lot of companies have bounty programs. Sometimes they try to find silly reasons for refusing to pay out. Paypal didn't want to pay a programmer under 18 years old who found a bug. This is a bad idea because it encourages those who have found bugs to figure out other ways to make money with those bugs. Today, it's Facebook that has decided they also want to create perverse incentives for hackers.  Their security team ignored a bug report until the researcher used the bug to post on Zuckerberg's wall.

Joshua also informed Shreateh that he would not be receiving a bug reward for reporting the exploit because he violated the site's terms of service. "We do hope, however, that you continue to work with us to find vulnerabilities in the site," he wrote.

There are two interpretations of what is going on here. The first is that Facebook does not want to encourage people to embarrass the company or harass their CEO/Founder.  But adding to this is that the Facebook employees who are in charge of this program that decided to not listen to the researcher decided to not pay out the $500 due to their general embarrassment.

Either way, it should be noted that exploits that allow for spamming Facebook walls are worth significantly more than $500.  In terms of cost, $500 is a very small amount for Facebook and they are used to spending much more in order to keep employee morale high. By not even paying these relatively small payouts, Facebook is encouraging people who can find exploits to find other ways to monetize their findings. They are also decreasing the morale of their large free workforce. If Facebook is going to refuse to honor their pay outs unless people follow the rules exactly they should make the payout significantly larger.

For the individual involved in each case the publicity the media gives them is worth more than the payout they missed out on, but the opposite is the case for the companies involved.