Category: General|Sep 8, 2020 | Author: Admin

Facebook Debuts Third-Party Vulnerability Disclosure Policy

Share on

If the social-media behemoth finds a bug in another platform’s code, the project has 90 days to remediate before Facebook goes public.
Facebook has implemented a fresh security vulnerability disclosure policy (VDP) this week – in an effort to explain how it decides when and how to roll out details on various bugs that its team finds in third-party software and open-source projects.

Generally speaking, companies will have 21 days to respond when Facebook files a report; if they don’t, the tech giant “reserves the right” to disclose the bug. If a report is acknowledged, the impacted company then has 90 days (from the time the report is filed) to patch before Facebook goes public.

However, there are exceptions to these guidelines. For instance, if Facebook determines that disclosing a security vulnerability sooner “serves to benefit the public or the potentially impacted people,” it may pull the ripcord on disclosure: For instance, if a bug is being actively exploited in the wild.

 Click to Register
The policy also says that Facebook may also disclose early if a patch is validated ready to go, but the project owner delays rollout; and conversely, if a project’s release cycle necessitates a longer window, it may agree to delay disclosure beyond the initial 90-day window.

“Our priority is to see these issues promptly fixed while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems,” the tech giant said, in its recently published VDP. “However…not all bugs are equally sensitive. A high-impact security issue requires much more care before it is publicly disclosed.”

As far as the communication process, the policy dictates that Facebook will first find the appropriate contact (an open-source project-maintainer, say) – and then will contact that person appropriately (via emails, bug trackers, support tickets, and so on) to provide a description of the issue found, a statement of Facebook’s VDP and the expected next steps.

Those next steps include the contact acknowledging the report and verifying/replicating the issue (and asking for more information if necessary) before working on a fix to be released within the 90-day window.

“Fixing an issue requires close collaboration between researchers at Facebook reporting the issue and the third-party responsible for fixing it,” according to the VDP. “Whenever appropriate, Facebook will work with the responsible contact to establish the nature of the issue and potential fixes. We will share relevant technical details to help expedite the fix.”

On a case-by-case basis, Facebook said it would coordinate disclosure with the impacted developer, either publicly or to specific people or companies using the project, and include/issue a CVE when appropriate.

The news comes as Facebook-owned WhatsApp rolls out its own changes this week. The messaging service has debuted a dedicated advisory page that provides a comprehensive list of WhatsApp security updates and associated CVEs, with descriptions aimed at helping researchers understand the impact of the bugs. WhatsApp said it will keep “with industry best practices” and not disclose security issues until claims have been “fully investigated,” “necessary fixes” issued, and updates provided through respective app stores.

Vulnerability disclosure is a hot topic of late, with The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) announcing this week a mandate for federal agencies to implement vulnerability-disclosure policies (VDPs). The move goes hand-in-hand with bug-bounty program goals; the idea is to give ethical hackers clear guidelines for submitting bugs found in government systems, to be rolled out by next March.

Sponsored Ads:

Comments:


iOS 15-hole leaked private Apple ID data to third-party apps

Category: Apple|Jan 21, 2022 | Author: Admin

Had to crisis-postpone new 5G standard in the US to avoid plane chaos

Category: IT|Jan 20, 2022 | Author: Admin

No one found out that the iPhone 13 is missing this until now

Category: Apple|Jan 19, 2022 | Author: Admin

Safari leaks your browser history

Category: General|Jan 18, 2022 | Author: Admin

Chromium Trouble - Can't change default search engine anymore

Category: Google|Jan 17, 2022 | Author: Admin

Here, developers are allowed by Apple to offer alternative payment methods

Category: Apple|Jan 16, 2022 | Author: Admin

Microsoft refuses to correct the error - took matters into its own hands

Category: Microsoft|Jan 15, 2022 | Author: Admin

Now Meta gets the authorities on its neck, again

Category: General|Jan 14, 2022 | Author: Admin

Has invested heavily in podcasts - now Spotify is closing down the studio

Category: General|Jan 13, 2022 | Author: Admin

Claims HomePod mini is on its way to Norway

Category: General|Jan 12, 2022 | Author: Admin

Linux gets the function everyone wants

Category: IT|Jan 11, 2022 | Author: Admin

Flasher RTX 3080 Ti with 3090 BIOS for extra efficient Ethereum mining

Category: General|Jan 10, 2022 | Author: Admin

Dice continues to destroy for himself: removed favorite from Battlefield 2042

Category: General|Jan 9, 2022 | Author: Admin

NBN Co applies fix to get hundreds of Sky Muster satellite services back online

Category: IT|Jan 8, 2022 | Author: Admin

You can trick Windows 11's new media player

Category: Microsoft|Jan 7, 2022 | Author: Admin
more