Category: General|Sep 8, 2020 | Author: Admin

Facebook Debuts Third-Party Vulnerability Disclosure Policy

Share on

If the social-media behemoth finds a bug in another platform’s code, the project has 90 days to remediate before Facebook goes public.
Facebook has implemented a fresh security vulnerability disclosure policy (VDP) this week – in an effort to explain how it decides when and how to roll out details on various bugs that its team finds in third-party software and open-source projects.

Generally speaking, companies will have 21 days to respond when Facebook files a report; if they don’t, the tech giant “reserves the right” to disclose the bug. If a report is acknowledged, the impacted company then has 90 days (from the time the report is filed) to patch before Facebook goes public.

However, there are exceptions to these guidelines. For instance, if Facebook determines that disclosing a security vulnerability sooner “serves to benefit the public or the potentially impacted people,” it may pull the ripcord on disclosure: For instance, if a bug is being actively exploited in the wild.

 Click to Register
The policy also says that Facebook may also disclose early if a patch is validated ready to go, but the project owner delays rollout; and conversely, if a project’s release cycle necessitates a longer window, it may agree to delay disclosure beyond the initial 90-day window.

“Our priority is to see these issues promptly fixed while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems,” the tech giant said, in its recently published VDP. “However…not all bugs are equally sensitive. A high-impact security issue requires much more care before it is publicly disclosed.”

As far as the communication process, the policy dictates that Facebook will first find the appropriate contact (an open-source project-maintainer, say) – and then will contact that person appropriately (via emails, bug trackers, support tickets, and so on) to provide a description of the issue found, a statement of Facebook’s VDP and the expected next steps.

Those next steps include the contact acknowledging the report and verifying/replicating the issue (and asking for more information if necessary) before working on a fix to be released within the 90-day window.

“Fixing an issue requires close collaboration between researchers at Facebook reporting the issue and the third-party responsible for fixing it,” according to the VDP. “Whenever appropriate, Facebook will work with the responsible contact to establish the nature of the issue and potential fixes. We will share relevant technical details to help expedite the fix.”

On a case-by-case basis, Facebook said it would coordinate disclosure with the impacted developer, either publicly or to specific people or companies using the project, and include/issue a CVE when appropriate.

The news comes as Facebook-owned WhatsApp rolls out its own changes this week. The messaging service has debuted a dedicated advisory page that provides a comprehensive list of WhatsApp security updates and associated CVEs, with descriptions aimed at helping researchers understand the impact of the bugs. WhatsApp said it will keep “with industry best practices” and not disclose security issues until claims have been “fully investigated,” “necessary fixes” issued, and updates provided through respective app stores.

Vulnerability disclosure is a hot topic of late, with The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) announcing this week a mandate for federal agencies to implement vulnerability-disclosure policies (VDPs). The move goes hand-in-hand with bug-bounty program goals; the idea is to give ethical hackers clear guidelines for submitting bugs found in government systems, to be rolled out by next March.

Sponsored Ads:

Comments:


Password program hacked again

Category: IT|Dec 3, 2022 | Author: Admin

Update your iPhone

Category: Apple|Dec 2, 2022 | Author: Admin

Tesla gets Dolby Atmos

Category: General|Dec 1, 2022 | Author: Admin

If Twitter is kicked out by Apple and Google, Musk will make his own mobile phone

Category: IT|Nov 30, 2022 | Author: Admin

The EU is investigating TikTok

Category: IT|Nov 29, 2022 | Author: Admin

Must be scrutinized extra carefully

Category: IT|Nov 28, 2022 | Author: Admin

Important drivers launched

Category: IT|Nov 27, 2022 | Author: Admin

Soon, Apple will make the big iPhone change

Category: Apple|Nov 26, 2022 | Author: Admin

Approaching the Apple iPhone

Category: Google|Nov 25, 2022 | Author: Admin

Microsoft is making an iPhone comeback

Category: Microsoft|Nov 23, 2022 | Author: Admin

This is how the iPhone 15 Pro becomes much faster

Category: Apple|Nov 22, 2022 | Author: Admin

Apple makes iPhone more like Android (if you want)

Category: Apple|Nov 21, 2022 | Author: Admin

These countries cheat the most and this is how they do it

Category: General|Nov 20, 2022 | Author: Admin

How to set up NightScout Docker using CyberPanel Hosting panel

Category: Tutorials|Nov 19, 2022 | Author: Admin

It will soon be over and out, warns Microsoft

Category: Microsoft|Nov 18, 2022 | Author: Admin
more