Assuming that's true (and I personally don't believe Stamos would flagrantly fab...

blazespin · on Dec 17, 2015

No, Alex just assumed. Why didn't he just ask Wes if he was doing this for Synack?

tptacek · on Dec 17, 2015

He "assumed" because the researcher signed up for the Facebook bounty program as an employee of Synack and used his Synack email to communicate with Facebook.

He wasn't guessing. He didn't look the guy up on LinkedIn.

thaumasiotes · on Dec 18, 2015

> He didn't look the guy up on LinkedIn.

I don't really see how else you can interpret the defense "he has written blog posts that are used by Synack for marketing purposes".

And it's pointed out all over the thread, but no part of "the researcher signed up for the Facebook bounty program as an employee of Synack and used his Synack email to communicate with Facebook" is uncontested, nor is it supported by the text of Alex Stamos' response. You've just read in what you want to see.

sangnoir · on Dec 18, 2015

> At this point, it was reasonable to believe that Wes was operating on behalf of Synack

> He "assumed" because the researcher signed up for the Facebook bounty program as an employee of Synack and used his Synack email to communicate with Facebook. He wasn't guessing. He didn't look the guy up on LinkedIn

This is a load of bolony / ass-covering by Alex - Facebook's bounty program explicitly deals with individuals only, not companies and Alex knows this. From https://www.facebook.com/whitehat/

> We only pay individuals

edit: down-voters, please point out the faults in my logic.

easuter · on Dec 18, 2015

From Wes' updated post:

> I never contacted Facebook or Alex using my work email account. It was only after Alex contacted my employer via email that I sent a reply from my work account. Alex indirectly contacted me at work, not the other way around.

louis-paul · on Dec 17, 2015

Why not ask directly Wes if he is working on the behalf of his company? Seems shady at least to resort immediately to his employer.