Facebook's security team left him with no choice so he decided to send the bug report instead to CEO Mark Zuckerberg's wall even if they are not friends.
A information systems expert based in Palestine using the name "Khalil" discovered a bug in Facebook which allows him to post to other users' walls even if these people are not part of his friend's list.
He immediately reported it to White Hat, Facebook's security team, hoping to receive a reward. White Hat offers at least $500 for every valid bug report.
Khalil posted on the wall of a girl named "Sarah" who is from the same university of Zuckerberg and sent the link to the security team. His bug report included message saying "I can post to Mark wall either but I will not cause I do respect people privacy".
White Hat responded to Khalil's report and said "Sorry, this is not a bug."
The security team left him no choice so he decided to target the CEO's wall just to let them know that he is serious about his bug report. His wall post to Mark Zuckerberg wall says,
Dear Mr. Zuckerberg,
First sorry for breaking your privacy and post to your wall, I has no other choice to make after all reports I sent to Facebook team.
My name is KHALIL from Palestine.
Couple days ago I discovered a serious Facebook exploit that allow users to post to other users Facebook timeline while they are not in friend list.
I report that exploit twice, first time I got a replay that my link has an error while opening. Other replay I got was "sorry this is not a bug". Both reports I sent to www.facebook.com/whitehat and as you see iam not in your friend list and yet I can post to your timeline.
Shortly after his wall post, Facebook engineers reached out to him, blocked the Facebook account he was using, and asked for details of the bug. However, they will not be paying Khalil as he violated some bug reporting policies. They didn't disclose the violation Khalil did.
To date, Khalil's Facebook account has been restored. He also posted screenshots of the "Facebook Vulnerability 2013" in his blog post and created a Youtube video as well on how to reproduce the bug.
