Facebook has published its first Vulnerability Disclosure Policy and given itself grounds to blab the existence of bugs to the world if it thinks that’s the right thing to do.
“Facebook may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software,” the company writes. “When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.”
Facebook will evaluate based on our interpretation of the risk to people.
The Social Network™ has made itself the arbiter of what needs to be disclosed and when it needs to be disclosed. The company’s policy is to contact “the appropriate responsible party” and give them 21 days to respond.
“If we don’t hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability,” the policy says, adding: “If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Facebook will disclose the vulnerability.”
But the company has also outlined exceptions to those rules, with acceleration of disclosure if a bug is already being exploited and slowing down news “If a project's release cycle dictates a longer window.”
The third reason is:
If a fix is ready and has been validated, but the project owner unnecessarily delays rolling out the fix, we might initiate the disclosure prior to the 90-day deadline when the delay might adversely impact the public.
Facebook "will evaluate each issue on a case-by-case basis based on our interpretation of the risk to people.”
Facebook fires sueball at 'malicious' app SDK makers, accuses them of gobbling up people's personal informationREAD MORE
The policy isn’t wildly different from that used by Google’s Project Zero, which also discloses bugs after 90 days and also offers extensions under some circumstances.
Perhaps coincidentally, Facebook-owned WhatsApp today debuted a security advisories page that revealed six bugs found in the messaging service’s desktop and smartphone apps. While one CVE-2019-11928 carries a 2019 date and could therefore appear to be Facebook disclosing late, CVE numbers are handed out in blocks for later use so there’s no need for finger-wagging on this occasion. ®