The updated policy is intended to make researchers more comfortable about disclosing a security bug to Facebook, without the fear of being sued by the social networking giant.
Facebook traditionally has encouraged researchers who discover a possible security problem on the site to follow “responsible disclosure” practices, by directly notifying the company of the issue. The submitter then should allow Facebook time to investigate and fix the problem before going public with details.However, the previous version of the policy could have led some to believe that Facebook reserved the right to sue bug finders, company spokesman Simon Axten told SCMagazineUS.com in an email Monday.
“This wasn't our intention, and so we've changed it to read less strictly,” he said.
The policy now reads: “If you share details of a security issue with us and give us a reasonable period of time to respond to it before making it public, and in the course of that research made a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service, we will not bring any lawsuit against you or ask law enforcement to investigate you for that research."
Members of the nonprofit digital security and privacy advocacy organization Electronic Frontier Foundation (EFF) helped Facebook craft the revised policy.
Many other software and hardware providers try to deal with security flaws internally and do not encourage researchers to report issues, Marcia Hofmann, senior staff attorney at the EFF, said in a blog post Friday. As a result, researchers are often deterred from reporting such issues to companies out of fear of prosecution.
“We hope to see others follow Facebook's lead and go even further,” Hoffman wrote. “The more transparent companies are about their approaches to vulnerability disclosure — and the more they encourage users to come forward — the more often they will learn about problems that need to be fixed.”
Such transparency will ultimately lead to better and more secure services, she said.
The ongoing debate over responsible disclosure gained steam this year when a Google researcher publicly released details about a Windows vulnerability after he was unable to negotiate a timeline for a fix with Microsoft.
Not long after, Microsoft announced a new initiative, known as coordinated vulnerability disclosure, that seeks to align efforts between researchers and vendors.
Google also chimed in, issuing new guidelines that call for vendors to patch bugs within at most 60 days. If they fail to meet an agreed-upon deadline, or if they fail to address the issue, the researcher has the right to publicly disclose details about the vulnerability in question.
Meanwhile, some vendors, such as Google and Mozilla, go so far as to provide researchers cash rewards for vulnerability disclosures, a practice that has garnered mixed reactions among the security community.