Category: General|Sep 8, 2020 | Author: Admin

Facebook Debuts Third-Party Vulnerability Disclosure Policy

Share on

If the social-media behemoth finds a bug in another platform’s code, the project has 90 days to remediate before Facebook goes public.
Facebook has implemented a fresh security vulnerability disclosure policy (VDP) this week – in an effort to explain how it decides when and how to roll out details on various bugs that its team finds in third-party software and open-source projects.

Generally speaking, companies will have 21 days to respond when Facebook files a report; if they don’t, the tech giant “reserves the right” to disclose the bug. If a report is acknowledged, the impacted company then has 90 days (from the time the report is filed) to patch before Facebook goes public.

However, there are exceptions to these guidelines. For instance, if Facebook determines that disclosing a security vulnerability sooner “serves to benefit the public or the potentially impacted people,” it may pull the ripcord on disclosure: For instance, if a bug is being actively exploited in the wild.

 Click to Register
The policy also says that Facebook may also disclose early if a patch is validated ready to go, but the project owner delays rollout; and conversely, if a project’s release cycle necessitates a longer window, it may agree to delay disclosure beyond the initial 90-day window.

“Our priority is to see these issues promptly fixed while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems,” the tech giant said, in its recently published VDP. “However…not all bugs are equally sensitive. A high-impact security issue requires much more care before it is publicly disclosed.”

As far as the communication process, the policy dictates that Facebook will first find the appropriate contact (an open-source project-maintainer, say) – and then will contact that person appropriately (via emails, bug trackers, support tickets, and so on) to provide a description of the issue found, a statement of Facebook’s VDP and the expected next steps.

Those next steps include the contact acknowledging the report and verifying/replicating the issue (and asking for more information if necessary) before working on a fix to be released within the 90-day window.

“Fixing an issue requires close collaboration between researchers at Facebook reporting the issue and the third-party responsible for fixing it,” according to the VDP. “Whenever appropriate, Facebook will work with the responsible contact to establish the nature of the issue and potential fixes. We will share relevant technical details to help expedite the fix.”

On a case-by-case basis, Facebook said it would coordinate disclosure with the impacted developer, either publicly or to specific people or companies using the project, and include/issue a CVE when appropriate.

The news comes as Facebook-owned WhatsApp rolls out its own changes this week. The messaging service has debuted a dedicated advisory page that provides a comprehensive list of WhatsApp security updates and associated CVEs, with descriptions aimed at helping researchers understand the impact of the bugs. WhatsApp said it will keep “with industry best practices” and not disclose security issues until claims have been “fully investigated,” “necessary fixes” issued, and updates provided through respective app stores.

Vulnerability disclosure is a hot topic of late, with The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) announcing this week a mandate for federal agencies to implement vulnerability-disclosure policies (VDPs). The move goes hand-in-hand with bug-bounty program goals; the idea is to give ethical hackers clear guidelines for submitting bugs found in government systems, to be rolled out by next March.

Sponsored Ads:

Comments:


We never thought it would happen

Category: IT|Feb 22, 2024 | Author: Admin

It's finally over and the victims can rejoice

Category: IT|Feb 21, 2024 | Author: Admin

Accusing Intel of cheating

Category: IT|Feb 20, 2024 | Author: Admin

It was probably China that forced Apple

Category: Apple|Feb 19, 2024 | Author: Admin

It looks like Spotify is getting its revenge on Apple

Category: General|Feb 18, 2024 | Author: Admin

This changes everything

Category: IT|Feb 17, 2024 | Author: Admin

This is how Apple defends its new iPhone limitation

Category: Apple|Feb 16, 2024 | Author: Admin

Windows 11 will get this this month

Category: Microsoft|Feb 15, 2024 | Author: Admin

Watch out, they're shutting down on pc

Category: General|Feb 14, 2024 | Author: Admin

After 20 years, Apple's mistakes still haven't been fixed

Category: Apple|Feb 13, 2024 | Author: Admin

Now they want to shut them out completely

Category: Microsoft|Feb 12, 2024 | Author: Admin

Apple charges up for explosive AI launch

Category: Apple|Feb 11, 2024 | Author: Admin

Fixes weird iPhone errors

Category: Apple|Feb 10, 2024 | Author: Admin

Download Google's new AI

Category: Google|Feb 9, 2024 | Author: Admin

First Apple gave them everything, now they are removing this

Category: Apple|Feb 8, 2024 | Author: Admin
more