Having participated in that conversation I can say that the timelines and statements from facebook were suspect. I'm sure the researcher didn't make the best choices but how facebook handled it was horrible and should make anyone participating in that bug bounty carefully consider every action they take against facebook's infrastructure.

Wow. That was an interesting set of comments to read. The consensus of the crowd was actually against Facebook in that probably due to their overpromising on bounties for big compromises and under delivering plus going after dude's job. A number of security professionals, including a friend of Stamos, were against that because he dumped and sat on data plus had his business info involved. Cited expectations of pentesters and responsible disclosure. What a mess.

I don't think Wes acted in good faith in that one but neither did Facebook in anything privacy-related. Who cares about fundamental ethics given parties involved. I will say his actions were nearly warranted if Facebook was promising huge bounties for something that could cause them big problems which that case seemed to be from that thread's comments. I don't know for sure.

Far as escalation or downloading data, I found that to be the only way to get taken seriously by management. Had to be done non-disruptively with trusted personnel, protection of that data (eg RAMdrives, crypto), and assurance it was gone after. Rarely even read it as filenames & credentials were enough. Nothing like showing marketing plans or private emails to execs with a contract that's vague enough for it to be legal to get security taken seriously. Responsible disclosure debates of 90's showed us that letting vendor decide almost always resulted in them downplaying risk saying it "hypothetically" could do something but probably overstated. People playing that game usually get bounties that yearly add up to less than a median IT person.

Rather not play that game. If the company bullshits, do what you can within their legal framework to call them on it and provably without doing any damage. If they didn't in that case, then he went way overboard and looks like he's running an extortion racket. I think key parts of the story aren't published and I can't be sure. Good news is Facebook and Wes both of don't mean shit to me. Moving on. Appreciate the entertainment and different perspectives, though. :)