Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Out of interest, would something as easy to find as this qualify for the bug bounty?


I would hope so. It shouldn't matter how "easy" something is to find. If the bug was really that easy, the team should have never let it out onto production.


Off the top of my head I can't speak to Facebook's program, but Google's terms include "substantially affects the confidentiality or integrity of user data". A login page that shouldn't be exposed is a marginal finding and might not qualify.

Also: obviously I don't speak for either Facebook or Google, but I strongly recommend against brute-forcing login prompts to try to prove the point that an exposed console is a real finding.


"Report a bug that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure"

^That's Facebook's. Theoretically, an exposed login page "could...enable access to a system within the Facebook infrastructure", but to be fair, I doubt they had that in mind.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: