Disclaimer: I was a Security Engineer on the FB Security Team until last month and was also involved in the Bug Bounty Program :-)
That's not how Facebook treats Bug Bounty Participants. By far, it's one of the better programs in terms of payouts, fairness, and triage time on critical issues.
Just a recent example: a bug bounty hunter reported unexpired CDN links. After internal research, FB figured out to chain this into a Remote Code Execution and paid out 80k USD to the researcher. (https://www.facebook.com/BugBounty/posts/approaching-the-10t...)
That said, I wasn't there in 2015, so I only know the story from some stories. (which portray the story a tad different) - Even if it were true, I haven't seen such treatment in the last three years at FB.
Forgive us (non-facebook engineers) if we don't take your (single rank-n-file engineer) anecdotal experience for official company policy when there's a public documented case of the head of the department doing otherwise.
Based on FB's official rebuttal, he had mentioned his company affiliation on the bug bounty portal account and had used a company email address for the communications. To me, this indicates that he was acting in an official company capacity.
Further, they didn't reach out to the CEO of the company until after he'd exfil'd data from the IG S3 bucket outside the scope of the bug report to try and leverage a bigger payout.
I have no reason to doubt any of that.
There's a lot of negatives about working at Facebook, but a lack of professionalism is not one of them.
I think FB's greatest achievements is convincing their employees that their jobs are actually good for society, or at least neutral. Plenty of good people working there who seem honestly confused about how their jobs lead to so corruption and downfall of our society.
Upton Sinclair got this right almost 100 years ago- “It is difficult to get a man to understand something, when his [RSUs depend] on his not understanding it.”
Of course, I also work at a FAANG, so people in glass houses and all that...
Their culture of continuous (and I do mean continuous) performance review ensures they're always focused on not losing their jobs. If you know someone who works there, ask 'em.
That's not how Facebook treats Bug Bounty Participants. By far, it's one of the better programs in terms of payouts, fairness, and triage time on critical issues.
Just a recent example: a bug bounty hunter reported unexpired CDN links. After internal research, FB figured out to chain this into a Remote Code Execution and paid out 80k USD to the researcher. (https://www.facebook.com/BugBounty/posts/approaching-the-10t...)
That said, I wasn't there in 2015, so I only know the story from some stories. (which portray the story a tad different) - Even if it were true, I haven't seen such treatment in the last three years at FB.