Facebook has introduced a policy update that will see third party developers contact the company if it detects a flaw in its code.
In a blog post announcing the move, Facebook said it “will sometimes find” critical bugs and vulnerabilities in the code and systems of third parties. “If that happens, our goal is to see these problems resolved quickly while ensuring that the affected people are notified so they can protect themselves by installing a patch or upgrading their systems.”
Facebook previously disclosed vulnerabilities to third-party developers, but the policy change officially codifies the company’s commitment to disclose and expose security vulnerabilities.
Ability disclosure programs, or VDPs, allow businesses to set the commitment rules for identifying and reporting security bugs. Also, VDPs support direct vulnerability disclosure and release once a bug is patched. Companies also use a bug bounty to compensate hackers who meet the reporting and disclosure requirements for the company.
Changing the policy isn’t altruistic. As with several other technology firms, Facebook depends on a lot of third-party code and open-source libraries. But it also puts third-party developers on alert by putting the update in writing if they don’t patch bugs promptly.
Casey Ellis, founder, and chief technical officer at the vulnerability disclosure platform Bugcrowd, said the policy change is becoming increasingly common for businesses with a “big, user-centric, third-party attack surface,” and parallels similar initiatives by Atlassian, Google, and Microsoft.
Facebook said it would send third-party developers 21 days to react when it detects a vulnerability, and 90 days to address the problems, a generally agreed timeline for detecting and remedying security issues.
The organization says it would make fair efforts to find the correct way to report a flaw, including but not limited to emailing security monitoring emails, filing bugs in bug trackers with no sensitive information, or filing support tickets. But the company said that it reserves the right to report earlier if hackers are actively exploiting the vulnerability, or delay its disclosure if it is decided that more time is required to address a problem.
Generally speaking, Facebook said it would not sign a non-disclosure agreement (NDA) related to the security concerns it addresses. Luta Security creator Katie Moussouris told that “the Devil will be in the details.” “The test will be the first time they need to pull the trigger and drop a zero-day — with mitigation guidance — onto a rival,” she said, referring to unpatched vulnerabilities where businesses have zero days to fix.
The new policy explicitly focuses on how Facebook manages the disclosure of third party code issues. If researchers find vulnerability on Facebook or within their app family, they will continue to report the vulnerability through the current Bug Bounty Program.