I'm surprised at how many people just assume the FB sec team doesn't want to pay and therefore tries to not pay if they can get away with it. Their history of paying out is completely the opposite. I've reported several bugs and they're always extremely helpful. They're not an insurance company that wants to reduce cost by screwing over users and there is no historical evidence of that. They want to pay for bugs and get as many of them as possible. What they don't want is for researchers to mess with other users' data. The guy could have just used two accounts to demo (he managed to create a new account after his own account was blocked). Using Zucks account doesn't make it more convincing from a tech perspective. It only makes the guy taken less serious as most researchers care more about how it works than messing with accounts of famous people. Not the smartest move. I understand the sec team draws a line and doesn't pay researchers that mess with other people's data. That's not sleazy, that's sane otherwise it gets exponentially worse as people try to outdo each other in terms of impact instead of focusing on explaining the technique behind a hack.
"Using Zucks account doesn't make it more convincing from a tech perspective." - In this case, that's obviously false. The guy submitted the bug twice and the final reply was "This is not a bug." After posting to Zuckerberg's account it was subsequently fixed.
I'm sure the FB security team triages a lot of bug reports, and a few get away - hopefully they'll be better about trying to get more info (boiler plate requesting steps to replicate or a video), but beyond that no harm no foul. I can also see that they don't want to encourage researchers messing with real user data. However, if they paid him out and told him in the future, that he should provide more information and not use real accounts (or not get paid out, etc), that'd have the same effect (you know, since it already happened) w/o the bad will generated.
Instead, they didn't pay him, locked his account, and now we're reading that blog post, not only encouraging him and the people like him in the future to not submit these bugs in the future (certainly serious enough that it'd be worth discovering vs being in a 0-day marketplace), but generating way more visibility for no good reason. It's just not smart.
