Facebook Debuts Third-Party Vulnerability Disclosure Policy

2020-09-04 16:12

Facebook has implemented a fresh security vulnerability disclosure policy this week - in an effort to explain how it decides when and how to roll out details on various bugs that its team finds in third-party software and open-source projects.

If Facebook determines that disclosing a security vulnerability sooner "Serves to benefit the public or the potentially impacted people," it may pull the rip cord on disclosure: For instance, if a bug is being actively exploited in the wild.

The policy also says that Facebook may also disclose early if a patch is validated ready to go, but the project owner delays rollout; and conversely, if a project's release cycle necessitates a longer window, it may agree to delay disclosure beyond the initial 90-day window.

As far as the communication process, the policy dictates that Facebook will first find the appropriate contact - and then will contact that person appropriately to provide a description of the issue found, a statement of Facebook's VDP and the expected next steps.

"Fixing an issue requires close collaboration between researchers at Facebook reporting the issue and the third party responsible for fixing it," according to the VDP. "Whenever appropriate, Facebook will work with the responsible contact to establish the nature of the issue and potential fixes. We will share relevant technical details to help expedite the fix."

News URL

https://threatpost.com/facebook-third-party-vulnerability-disclosure-policy/158976/

#disclosure #facebook #policy #vulnerability

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Facebook		29	0	11	46	54	111