Home

Sep 8, 2020

Facebook Debuts Third-Party Vulnerability Disclosure Policy

authorarticle: Master3395
Facebook.png
video: 
youtube: 
sources: 
keywords: Bug Bounty, Facebook, Vulnerabilities, Web Security
Category: General
Posted by: Admin

If the social-media behemoth finds a bug in another platform’s code, the project has 90 days to remediate before Facebook goes public.
Facebook has implemented a fresh security vulnerability disclosure policy (VDP) this week – in an effort to explain how it decides when and how to roll out details on various bugs that its team finds in third-party software and open-source projects.

Generally speaking, companies will have 21 days to respond when Facebook files a report; if they don’t, the tech giant “reserves the right” to disclose the bug. If a report is acknowledged, the impacted company then has 90 days (from the time the report is filed) to patch before Facebook goes public.

However, there are exceptions to these guidelines. For instance, if Facebook determines that disclosing a security vulnerability sooner “serves to benefit the public or the potentially impacted people,” it may pull the ripcord on disclosure: For instance, if a bug is being actively exploited in the wild.

 Click to Register
The policy also says that Facebook may also disclose early if a patch is validated ready to go, but the project owner delays rollout; and conversely, if a project’s release cycle necessitates a longer window, it may agree to delay disclosure beyond the initial 90-day window.

“Our priority is to see these issues promptly fixed while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems,” the tech giant said, in its recently published VDP. “However…not all bugs are equally sensitive. A high-impact security issue requires much more care before it is publicly disclosed.”

As far as the communication process, the policy dictates that Facebook will first find the appropriate contact (an open-source project-maintainer, say) – and then will contact that person appropriately (via emails, bug trackers, support tickets, and so on) to provide a description of the issue found, a statement of Facebook’s VDP and the expected next steps.

Those next steps include the contact acknowledging the report and verifying/replicating the issue (and asking for more information if necessary) before working on a fix to be released within the 90-day window.

“Fixing an issue requires close collaboration between researchers at Facebook reporting the issue and the third-party responsible for fixing it,” according to the VDP. “Whenever appropriate, Facebook will work with the responsible contact to establish the nature of the issue and potential fixes. We will share relevant technical details to help expedite the fix.”

On a case-by-case basis, Facebook said it would coordinate disclosure with the impacted developer, either publicly or to specific people or companies using the project, and include/issue a CVE when appropriate.

The news comes as Facebook-owned WhatsApp rolls out its own changes this week. The messaging service has debuted a dedicated advisory page that provides a comprehensive list of WhatsApp security updates and associated CVEs, with descriptions aimed at helping researchers understand the impact of the bugs. WhatsApp said it will keep “with industry best practices” and not disclose security issues until claims have been “fully investigated,” “necessary fixes” issued, and updates provided through respective app stores.

Vulnerability disclosure is a hot topic of late, with The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) announcing this week a mandate for federal agencies to implement vulnerability-disclosure policies (VDPs). The move goes hand-in-hand with bug-bounty program goals; the idea is to give ethical hackers clear guidelines for submitting bugs found in government systems, to be rolled out by next March.

authorarticle: Master3395
Facebook.png
video: 
youtube: 
sources: 
keywords: Bug Bounty, Facebook, Vulnerabilities, Web Security

Comments:

comments powered by Disqus

Return

Sponsored Ads:

Discord

Page 1 of 564  >  >>

The new version of Windows 10 is more or less finished

2004.webp

Sep 22, 2020 | Category: Microsoft | Comments

Launched next month, is in the final test period.

read more…

Mozilla tightens belt, folds two Firefox services

mozilla.jpg

Sep 21, 2020 | Category: General | Comments

The Firefox browser maker is having to trim its sails again.

read more…

The United States bans TikTok and WeChat on Sunday

Tiktok.jpg

Sep 20, 2020 | Category: General | Comments

It is now known that the USA will ban WeChat and TikTok from the Apple App Store in the USA next Sunday.

read more…

Page 1 of 564  >  >>