Not trying to play devil's advocate here but any vulnerability researcher must understand that finding flaws is only half of the job. You must also be able to successfully explain and make understand each flaw to even non-technical people or your work is somewhat worthless.

Now it's true that one can expect a reasonable technical skill from the Facebook person reviewing your bug submissions, but they also, as they stated, go through a lot of invalid and spurious submissions a day.

So in case you are hoping for a reward, you better make your submission as clear as possible before going mad and go public. Also you should at least retry and send additional details before giving up on them (reports do not mention whether the researcher "repeatedly" tried to explain the vuln to them.

IMHO the lack of patience from the researcher illustrates he really does not care about making Facebook (or anything) more secure. Only money drives him. This is perfectly acceptable but no quite the image for raising money as if he were a true whitehat.

This is indeed true specially for popular companies with rather mature SecOps that pay minimum wages for vulnerabilities that are indeed hard to find or require a pretty darn good skill level to discover. Some of them even only offer swag in exchange of finding serious threats such as persistent XSS or authentication bypass. They maybe feature the researcher in some blog post to publicly thank him and attract the wannabe crowds.

Having said that, I myself have participated in several of these programs (with varying success) and come to realize that probably Google and Facebook are the only VRPs currently paying reasonable wages for bugs in terms of cost efficiency for the researcher.

On the other hand, some of us just enjoy from time to time trying to find security bugs for fun (maybe because we are huge nerds) so these programs offer a great opportunity to test things and not risking ending up in jail.

"If the QR idea takes hold memorials will be able to tell much more to future generations."

Not necessarily. QR codes are only links to other resources, they can't hold useful information by themselves. The availability of the information depends on the provider of the content they refer to.

Considering current situation with XSS prevalence, javascript obfuscation techniques and content filters bypassing, this will only make matters worse

While one can arguably say everything can be hacked (unless air-gapped), in certain scenarios you can at least mitigate the impact of a breach to make it almost irrelevant.

Easiest example is password storing. Some SQLi may get through and provide someone with a dump of your user passwords, but if you follow up to date recommended security practices, the data will be nearly useless.

Beind said that, just by reading the Web Application Hacker's Handbook and following all of its recommendations you will have a pretty secured app.

Decisions are good for games

I'm kind of an old school gamer and I always thought in time games would evolve not only to provide better realistic graphics but also to increase the freedom you have in them. When a game really touches you, you automatically get trapped withing its unique universe, and your experience is so much better when you really feel that "I can do almost everything" feeling.

It's a shame current state-of-the-art games usually just focus their appeal on graphics and pre-scripted sequences that only look great the first time you get to them. And even if you are not planning to play again the game after finishing it, a scripted scene always has that feeling of having nothing to do with the actions you just performed, or more importantly, that it has not happened because you *choose* it to happen.

Call of Duty 4 is a perfect example of this. Sure, the game looks great, definitely top-notch fps gameplay. However the game stinks of immutability. There is no freedom available on how to complete missions. There is only one way to do them. Maybe it is just too well designed to appeal casual and hardcore gamers at the same time. Maybe they just tried to make the game approachable for the big audience. They probably succeeded in that but they left freedom out in the process.

Take Half-Life 2 as a counter-example. When I played this game for the first time I really had bad times figuring out gameplay mechanics. Nobody in the game tells you can use flammable barrels as grenades with your gravity gun. Nobody tells you a lot of things in that game. You just figure them out as you play, in a way maybe intended by developers, but perfectly dressed to make you believe you actually come with the solution by yourself. The sense of accomplishment in this game is absolutely brilliant. Maybe it's not perfect, but it definitely points in the right direction while CoD4 doesn't. GTA is another great example of that kind of freedom illusion games should offer nowadays.

I haven't picked up Mass Effect yet, but I'm really looking forward. Seems like an oasis in the desert of immutable games flooding us lately.