Without having a position in this debate myself: I think that's not quite fair.
My understanding is this: They got a report that a server can be compromised and fixed that vulnerability. Unbeknownst the reporter grabbed a huge amount of (remote! not on that server, btw) data to play with.
Later the reporter returns to Facebook and says 'Btw, I got all these valuable pieces of information and have those for quite a while'.
Only at that point can you panic and rotate keys, but now you notice that a third party had access to all these keys for a month already. What else did they get? Maybe the researcher sat in a posh coffee place and grabbed interesting Instagram credentials (using the certificate) or escalated this further, gaining even more access based on the exposed information so far.
In my world, Facebook/Instagram are basically completely owned and have to assume that this guy grabbed ~everything~. They probably need to hire (vs. doing a bug bounty) people to grab the same data from the same buckets to look for potential follow-up targets that were _not_ disclosed, but might've fallen to the same bug hunter.
Who's to say that the guy doesn't come around on New Year's Eve with Yet Another Disclosure based on the same 'attack'?
I hate the 'contact the employer' part, but I'd hate to be in FB's shoes far more. I can hate the company and feel for its CSO/IT staff in this aftermath at the same time.
That's fair, but it implies that at no point did FB ask themselves "what would someone who exploited this vulnerability have access to?" If they had, they would have realized they were completely owned before the researcher pointed it out to them and taken steps to fix it (changing keys, etc.) At that point the researcher would be the least of their worries, and they would have tried to figure out if anyone else had completely owned them.
However, since they were unable to figure out that the friendly researcher owned them until he told them we now know that FB itself doesn't know who has their data.
My understanding is this: They got a report that a server can be compromised and fixed that vulnerability. Unbeknownst the reporter grabbed a huge amount of (remote! not on that server, btw) data to play with.
Later the reporter returns to Facebook and says 'Btw, I got all these valuable pieces of information and have those for quite a while'.
Only at that point can you panic and rotate keys, but now you notice that a third party had access to all these keys for a month already. What else did they get? Maybe the researcher sat in a posh coffee place and grabbed interesting Instagram credentials (using the certificate) or escalated this further, gaining even more access based on the exposed information so far.
In my world, Facebook/Instagram are basically completely owned and have to assume that this guy grabbed ~everything~. They probably need to hire (vs. doing a bug bounty) people to grab the same data from the same buckets to look for potential follow-up targets that were _not_ disclosed, but might've fallen to the same bug hunter.
Who's to say that the guy doesn't come around on New Year's Eve with Yet Another Disclosure based on the same 'attack'?
I hate the 'contact the employer' part, but I'd hate to be in FB's shoes far more. I can hate the company and feel for its CSO/IT staff in this aftermath at the same time.