Facebook, Researcher Spar Over Instagram Flaw Disclosure

msm1267 writes: A security researcher is in a bit of a scrum with Facebook over vulnerability disclosures that not only tested the boundaries of the social network's bug bounty program, but he said, also prompted hints of legal and criminal action, which Facebook has since denied. Wesley Wineberg, a contract employee of security company Synack, said today that he had found some weaknesses in the Instagram infrastructure that allowed him to access source code for recent versions of Instagram, SSL certificates and private keys for Instagram.com, keys used to sign authentication cookies, email server credentials, and keys for more than a half-dozen critical other functions, including iOS and Android app signing keys and iOS push notification keys. Wineberg also accessed employee accounts and passwords, some of which he cracked, and had access to Amazon buckets storing user images and other data prompting claims of user privacy violations from Facebook.

When the CSO is involved it is a coverup.

[EmperorOfCanada]

One of the problems with bug bounties is information control. I am not talking about the bugs leaking out or making the company look bad so much as the information is then clear for the higher ups in the company to see what bugs the outside world is discovering. Thus those in charge of security look at bug bounties as career damaging information they can't control. I am willing to guess that many submissions are made to bug bounty gathering organizations that are complete crap. People no doubt write in vague things such as "You are using the Monkey BM operating system which is known to have many flaws. You can send the cheque to ..." Thus it is probably easy for the CSO to take a genuine flaw and file it under the category "spurious". The worse the flaw, and the more clear the evidence as to how damming it is no doubt are the ones that they want to make go away the fastest. The CSO probably is used to being Tyrannical to his own employees and many other employees of the company. Can you imagine if he called your boss within the company and indicated that you were presenting a threat to the company?

So when he pulled this shit and called up a company out of the blue he probably thought his reign of terror would apply there too.

So if I were his boss I would not only look into this one case but I would look to see how many other cases he suppressed. Then, I would carefully look into his behaviour in the office. I would suggest that they hire an outside company that can do anonymous surveying of his immediate underlings and others that he has dealt with to see if he is a bully. I would also look into any firings that he was involved with; especially if they were outside his direct purview. Did he have some guy escorted out of the building because he wanted his parking space?