Security News > 2020 > September > Facebook Announces Vulnerability Reporting and Disclosure Policy
Facebook is giving third-party application developers three weeks to respond to vulnerability reports and three months to patch bugs before public disclosure.
As part of the responsible disclosure process, Facebook will make a reasonable effort to contact the impacted third-party and will provide them with the information required to understand the reported problem.
The third-party is expected to address the reported vulnerability within 90 days and, if no mitigating circumstances are identified, Facebook will disclose the issue publicly as soon as it can.
Facebook's Vulnerability Disclosure Policy also details disclosure paths, as well as potential scenarios when the company will deviate from the 90-day patch requirement, such as active exploitation of the identified security flaw or unnecessary delays on deploying a fix.
"We will strive to be as consistent as possible in our application of this policy. Nothing in this policy is intended to supersede other agreements that may be in place between Facebook and the third party, such as our Facebook Platform policies or contractual obligations," the social platform says.