Facebook provides three weeks for third-party application developers to respond to vulnerability reports and three months to patch bugs before public disclosure.
This week, the social media giant took off the wraps of a vulnerability disclosure programme, targeted at vulnerabilities that can be found by its researchers in third party code and frameworks, including open source applications.
The policy ‘s purpose, says Facebook, is to ensure that the identified issues are addressed as quickly as possible and that the people affected are informed about the problem, so that they can patch their systems to stay protected.
The social platform also states that high-impact security flaws will receive more attention before public disclosure, and that its researchers will work closely with application developers to assist with the fixing process whenever possible.
“We expect the third party to respond within 21 days to let us know how the problem is being mitigated to protect the people that have been affected. If we are not heard back within 21 days of posting, Facebook reserves the right to expose the vulnerability. If no patch or update indicating that the problem is being resolved in a reasonable way is available within 90 days of posting, Facebook will disclose the vulnerability, “the company says.
Facebook also reveals that, should it conclude that revealing a vulnerability before the deadline defined would benefit the public, it could do so.
Facebook will make a reasonable effort to contact the affected third party as part of the responsible disclosure process and will provide them with the details needed to understand the reported problem. Additional information will be provided, if necessary.
“If we don’t receive a response within 21 days from a person identifying a vulnerability issue, we’ll assume that no action will be taken. We reserve the right then to disclose the question, “says Facebook. The report’s sending is seen as the start of the timeline.
The company says it is willing to work on solutions with the third party but needs accountability on the progress in mitigation. The third party is expected to address the recorded problem within 90 days, and Facebook will disclose the issue publicly as soon as possible if no mitigating circumstances are found.
Facebook’s Vulnerability Disclosure Policy often outlines disclosure routes, as well as possible situations where the organisation deviates from the 90-day patch deadline, such as the intentional exploitation of the detected security bug or excessive delays in implementing a fix.
“We will aim to be as consistent in our implementation of this policy as possible. Nothing in this policy is intended to replace other arrangements that might exist between Facebook and the third party, such as our rules on the Facebook Site or contractual obligations, “says the social media.
This week, Facebook also released WhatsApp Security Advisories, a resource intended to improve accountability by presenting details on all of the vulnerabilities discussed in the messaging service and applications.
“We can’t always mention security advisories inside app release notes because of the policies and procedures of the app stores. This advisory page lists WhatsApp’s security updates and related Common Vulnerabilities and Exposures (CVE). Please note that the information contained in CVE explanations are intended to help researchers understand technological scenarios and do not indicate that users have been affected in this way, “the firm says.
In addition , Facebook says it will alert third-party library developers and mobile operating system providers when security problems affecting their code are discovered.