A couple of months ago I reported a chained vector vulnerability which affected a corner case 2-Factor bug to Facebook. While their security department utilizes the same anonymous ticketing system their consumer support department I found the encounter professional and timely considering the multiple teams that must have been involved to perform analysis then test and deploy a fix. I’ve been on the side of these workflows previously and it all seemed well orchestrated (so, take that as my assessment re: people who have reported the opposite

Mostly, I was happy to do my due diligence in reporting the flaw after unintentional discovery. I once reported a similar corner case password reset circumvention flow to an unnamed credit reporting agency and was met with crickets (though I presume something happened after I reported?).

Also, I’m on the thanks wall:

And while I probably would have been happy with the wall post, based on some media reports its obvious others have not been happy without renumeration for low risk vector reporting. I am happy to report Facebook is making a small contribution to my children’s school.

TY FB — I will now redirect my critique of commercialized consumer data collection to other offenders during the sunset period afforded by this experience.