IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Facebook unveils new vulnerability disclosure policy

The company will publish all flaws it discovers within 21 days, if third-party developers don’t respond to communication

Fake ladybug on a circuit board

Facebook has announced a new policy for disclosing vulnerabilities in third-party software detected by its internal security researchers. The company will publicly disclose vulnerabilities in third-party code and systems, including open-source software, 90 days after reporting them, should there be no fixes.

However, if third-party developers don’t respond to reports within 21 days, the social media giant has threatened to disclose these flaws publicly anyway, regardless of the status of any patches.

The firm has outlined these policies as it ramps up its efforts to identify and disclose flaws in order to ensure developers fix them as soon as possible, the company claims. 

Although each vulnerability will be taken on a case-by-case basis, Facebook says there are occasions on which it will deviate from its 90-day requirement.

Disclosure will come sooner if any bug is being actively exploited or if a fix is ready but has been delayed unnecessarily, while in cases that a project’s release cycle may dictate a longer window, the bug’s publication will be delayed.

“In a nutshell, Facebook will contact the appropriate responsible party and inform them as quickly as reasonably possible of a security vulnerability we’ve found,” the company posted in an update

“We expect the third party to respond within 21 days to let us know how the issue is being mitigated to protect the impacted people. If we don’t hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability. If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Facebook will disclose the vulnerability.

Related Resource

Enhance the safety and security of your people, assets, and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

“That said, we will adhere to the vulnerability disclosure steps and the proposed timelines whenever reasonably possible, but we can envision scenarios where there might be deviations. If Facebook determines that disclosing a security vulnerability in third party code or systems sooner serves to benefit the public or the potentially impacted people, we reserve the right to do so.”

This has come in conjunction with the launch of a separate security advisory segment for WhatsApp, the launch of which revealed six new flaws affecting versions of the online messaging platform, ranging in nature and severity. The flaw CVE-2020-1894, for example, is a stack write overflow bug, while CVE-2020-1889 is a security feature bypass issue in WhatsApp Desktop.

Facebook’s programme is fairly similar to industry-standard vulnerability disclosure schemes, particularly in terms of the 90-day publication policy which has been adopted by many rival tech companies. Google’s Project Zero, for example, has touted the benefits of a 90-day disclosure policy, also rolling out an automatic 90-day disclosure policy in January

Apple, by way of contrast, was criticised for implementing an effectively ‘limitless’ disclosure window on its new internal iPhone bug-hunting scheme, with security researchers describing these policies as a “poison pill”.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Meta hit with €17 million fine over multiple GDPR breaches
data protection

Meta hit with €17 million fine over multiple GDPR breaches

16 Mar 2022
Meta says Apple's iOS privacy changes will cost it $10 billion in 2022
privacy

Meta says Apple's iOS privacy changes will cost it $10 billion in 2022

3 Feb 2022
Google, Facebook fined €210 million for making it difficult for users to reject cookies
Policy & legislation

Google, Facebook fined €210 million for making it difficult for users to reject cookies

6 Jan 2022
Meta makes 2FA mandatory for high-risk users
two-factor authentication (2FA)

Meta makes 2FA mandatory for high-risk users

3 Dec 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022