Researcher: "I found a way to unlock your door"
Facebook: "Thanks, here's $2500. We've now fixed the problem."
Researcher: "Ohh hey about that bug. Turns out that
door, if the guys from the Ashley Madison breach found
first, your entire company would lose billions in market
cap, you and all your friends would no longer have jobs,
and the trust placed in your company by the public would
be so eroded that there's a good chance it would no longer
exist."
Facebook: "Well this is embarrassing. Our boss found out
and talked to your boss, the subject of lawyers and law
enforcement may have been mentioned in an effort to keep
this info getting to the public, and when this failed, he
made a highly visible blog post discrediting your
professional conduct"
Researcher: <gobsmacked>
You can make the case for misconduct on both sides but I'm more inclined to side with the researcher. If you define bugs and the associated bounty by the amount of possible damage it could cause, this one would definitely be 'catastrophic'. And Facebook would still be none the wiser if he hadn't dug deeper.
