Cloud ISVs Need to Review As Many Reports of Security Vulnerabilities As Possible
On August 20, 2013, Computerworld published an article by Greg Keizer, Security expert kick-starts fund to pay Facebook bug finder a $10K bounty. The following quote got our attention:
“‘The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission,’ said Facebook software engineer Matt Jones in a Sunday entry on Hacker News. ‘Exploiting bugs to impact real users is not acceptable behavior for a white hat.'”
“Jones did acknowledge that Facebook should have asked Shreateh for more information before dismissing his report, but he also ticked off a list of reasons, including the fact that Facebook receives ‘hundreds of reports each day’ and the lack of detailed proof in Shreateh’s original report. He also intimated that Shreateh’s poor English skills had been a problem.” (quoted from Greg Keizer’s article on Computerworld. We’ve provided a link to the complete article above).
In our opinion cloud ISVs, including Facebook, are in no position to be picky about the security vulnerabilities they decide to investigate. The one Mr. Shreateh uncovered is truly serious. Regardless of the quality of Mr. Shreateh’s English language skills, Facebook should have taken a detailed look at his claim. Instead Greg Keizer notes how they apparently ignored Mr. Shreateh’s claims and even took exception with their own policies and refused to give him the “bug bounty” they offer to the public.
The damaging point about all of this as far as Facebook is concerned is the glimpse we get into their customer service policy from this event. If Facebook can afford to ignore the claims of some serious technical flaws in their SaaS offer, which jeapordize their users, as Greg Keizer recounts, then customer service is not at the forefront of their efforts, despite all their claims of dedication to user privacy, etc.
When very prominent websites are suffering compromises on a daily basis, cloud ISVs need to step up their vigilance and look thoroughly into any/all claims like those Mr. Shreateh brought to Facebook’s attention.
© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved