On July 30, 2018, Daniel ‘Blaklis’ Le Gall (aka Matsuyama) from SCRT information security reported a $5k bug bounty flaw to Facebook.  Blaklis scanned an IP range that belongs to Facebook (199.201.65.0/24) and discovered an unstable Python based service hosted on 199.201.65.36, with the hostname sentryagreements.thefacebook.com, which had its Django framework debug mode still enabled.  Within the debugger’s stack trace based on Pickle protocol there was a key available which could have allowed user session hijacking.

Facebook expediently patched the server in question on August 9^th and awarded Blaklis $5k for his sophisticated sleuthing.