Facebook announced Thursday its first formal policy on how it will disclose bugs security researchers find in other companies’ products.
The policy also details how long Facebook will give them to respond, repair and distribute the patch.
“Sharing our policy publicly helps everyone understand the right expectations about reporting/disclosure,” said Nathaniel Gleicher, head of security policy at Facebook, in a written statement. “We are releasing the policy to make the process of helping people fix these issues and become safer as smooth as possible.”
The Facebook policy codifies how it will interact with vendors across several industries. In the past, Facebook claims it has notified makers of vulnerabilities in VPN clients, VPN servers, optical switches, virtualization software, file storage appliances, email clients, and other items.
Developing a policy to warn third parties about vulnerabilities is the next logical evolution for firms like Facebook with a mature policy to accept vulnerabilities from outside researchers, said Katie Moussouris, CEO of LutaSecurity and a long-time leader in developing disclosure programs.
“If you’re doing things right with a disclosure program, you aren’t just waiting for people to report to you,” she said. “You’re getting better at finding them on your own.”
That includes finding bugs in the components that make up products, whether developed in house or purchased externally.
The policy states that Facebook will give third-party vendors 21 days to respond to the social media giant after divulging a vulnerability, and 90 days to make reasonable efforts to mitigate the vulnerability. If the third party misses either deadline, Facebook may decide to publicly disclose the vulnerability they’ve discovered.
These types of deadlines are standard in disclosure policies to ensure that vulnerabilities are taken seriously.
Facebook says it may modify its deadlines if it knows a patch is available but not being distributed; if product release cycles don’t align with other requirements; or if a vulnerability is “actively” being exploited.
Moussouris notes that the last condition will be best defined in practice – whether that means Facebook will release a vulnerability if any attacker uses a vulnerability or if it becomes more common.