I had helped a friend report a security vulnerability to Facebook. It was similar in the sense that it allowed anyone who knew 2 Facebook usernames (easy to do) to post a private message to someone that would appear to come from a friend. You didn't even need to be authenticated on Facebook to do it and could do post it from any machine on the Internet.
At first Facebook was similarly dismissive that it wasn't a bug. My friend pushed a bit to convince them with additional details and examples of how it could be easily used for exploits. They finally saw the light. The bug was fixed and my friend got paid $1K which wasn't much for the bug's seriousness. In any case it got fixed and my friend got acknowledged so it's OK.
It's a bit of a pity, thought, that they didn't see it to be serious at first. I would have expected any mediocre engineer to skip a hearth beat when learning of such a bug in their system.
At first Facebook was similarly dismissive that it wasn't a bug. My friend pushed a bit to convince them with additional details and examples of how it could be easily used for exploits. They finally saw the light. The bug was fixed and my friend got paid $1K which wasn't much for the bug's seriousness. In any case it got fixed and my friend got acknowledged so it's OK.
It's a bit of a pity, thought, that they didn't see it to be serious at first. I would have expected any mediocre engineer to skip a hearth beat when learning of such a bug in their system.