Social Media

Facebook to Warn Third-Party Developers of Vulnerable Code

Facebook to Warn Third-Party Developers - Appy Pie

Facebook has announced a policy change that will see the company notify third-party developers if it finds a security vulnerability in their code. While Facebook has previously notified third-party developers of vulnerabilities, the policy shift formally codifies the company’s policy toward disclosing and revealing security vulnerabilities.

In a blog post announcing the change, Facebook said it “may occasionally find” critical bugs and vulnerabilities in third-party code and systems. “When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.”

Vulnerability disclosure programs (VDPs) allow companies to set the rules of engagement for finding and disclosing security bugs. VDPs also help guide the disclosure and publication of vulnerabilities once a bug is fixed. Companies often use a bug bounty to pay hackers who follow the company’s reporting and disclosure rules.

The policy change is not entirely altruistic. Facebook relies on a ton of third-party code and open-source libraries. But by putting the change in writing, it also puts third-party developers on notice if they don’t fix vulnerabilities in a timely fashion.

Casey Ellis, founder and chief technology officer at vulnerability disclosure platform Bugcrowd, said the policy shift was becoming increasingly popular for companies with a “large, user-centric, third-party attack surface,” and echoes similar efforts by Atlassian, Google and Microsoft.

Facebook said when it finds a vulnerability, it will give third-party developers 21 days to respond and 90 days to fix the issues, a widely accepted time frame to report and remediate security issues. The company says it will make a reasonable effort to find the right contact for reporting a vulnerability, including, but not limited to, emailing security reporting emails, filing bugs without confidential details in bug trackers or filing support tickets.

But the company said it reserves the right to disclose sooner if the vulnerability is actively being exploited by hackers, or delay its disclosure if it’s agreed that more time is needed to fix an issue. Facebook said it will generally not sign a non-disclosure agreement (NDA) specific to the security issues it reports.

The new policy is focused specifically on how Facebook handles disclosure of issues in third-party code. If researchers find a security vulnerability on Facebook, or within its family of apps, they will continue to report it through the existing Bug Bounty Program.