Facebook offers a bug bounty program, use it! I just did and got paid $2000 this month for reporting a crypto related flaw. The thing is, if a company offers a bounty program and you choose to go around it and publicly disclose you are sort of a jerk and to more than just the company. Another researcher had already found and reported the bug. Facebook was already working on a fix. The researcher was likely waiting for the terms of the bug bounty program to be met so they could then publish and spin it into a Black Hat, DEF CON, CanSec talk, then this kid comes along and takes the thunder. That's a real dick move.
How is this a bug? It's a feature of FB Messenger! He didn't have to exploit any bugs to get at the data. He just took what FB gave him and displayed it on a map. Why would this be eligible for a bug bounty?
Facebook offers a bug bounty program, use it! I just did and got paid $2000 this month for reporting a crypto related flaw. The thing is, if a company offers a bounty program and you choose to go around it and publicly disclose you are sort of a jerk and to more than just the company. Another researcher had already found and reported the bug. Facebook was already working on a fix. The researcher was likely waiting for the terms of the bug bounty program to be met so they could then publish and spin it into a Black Hat, DEF CON, CanSec talk, then this kid comes along and takes the thunder. That's a real dick move.