> two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.
Are they allowed to escalate access, given the bounty rules?
Also, isn't the periodic collection of login credentials completely out of scope? What I mean is: once the initial vulnerability was located and the pentester got shell access in the system, shouldn't he have stopped there and reported?
You can read the story from a few months back to find that Facebook apparently has an unstated but non-repudiated policy of threatening to involve the FBI and actually doing reputational damage to researchers who they feel cross a (poorly described and enforced) line: https://news.ycombinator.com/item?id=10754194
In this case, they (correctly) went the other way, which creates even more uncertainty. Given this pattern of inconsistent enforcement mixed with threats, I would feel genuinely unsafe reporting a security vulnerability to Facebook except under very specific conditions. That's probably not what they're going for, but that's the environment they're creating.
But in this case, they specifically said that the researchers were unable to escalate. How does he know? Either the researchers violated the rules by trying and failing, or they didn't try and he's simply lying to make himself look better. By your reasoning and their policy, those are the only two possibilities.
What are we supposed to conclude from this? Under the current rules and assuming the description of what happened is accurate, it would seem you'll potentially be punished for establishing the full extent of a breach, unless it's not so bad, in which case you're rewarded for failing. In addition to being illogical and unfair, it also incentivizes OpSec to delude themselves and everyone else about their true security risks.
This is assessed based on how hard it was to elevate your access rights (whether it requires physical access, user cooperation, etc.), not on how much damage you can do - because once you elevated your rights the possible damage is unlimited.
Except in that case, he unearthed another completely unrelated vuln.
I agree that some actions are u ethical, but does that really matter so much when a black hat is unethical anyways? The fact that he reported meant he was harbored no malicious intent.
How is collecting logins better than that? Seriously? This is completely malicious if you ask me.
Moreover, we must not judge each case strictly to the same rule, but with a measure of consideration of the circumstances as well.
> Are they allowed to escalate access, given the bounty rules?
No. From Facebook's responsible disclosure policy [1]:
> You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
Both of the pen testers in this situation broke the rules. Once they found a security issue they exploited it and probed for additional issues (as well as one tester who attempted compromise of sensitive company data by collecting logins).
It's good that Facebook doesn't always apply these guidelines to the letter.
Are they allowed to escalate access, given the bounty rules?
Also, isn't the periodic collection of login credentials completely out of scope? What I mean is: once the initial vulnerability was located and the pentester got shell access in the system, shouldn't he have stopped there and reported?