The updated policy is intended to make researchers more comfortable about disclosing a security bug to Facebook, without the fear of being sued by the social networking giant.
Facebook traditionally has encouraged researchers who discover a possible security problem on the site to follow “responsible disclosure” practices, by directly notifying the company of the issue. The submitter then should allow Facebook time to investigate and fix the problem before going public with details.However, the previous version of the policy could have led some to believe that Facebook reserved the right to sue bug finders, company spokesman Simon Axten told SCMagazineUS.com in an email Monday.
Many other software and hardware providers try to deal with security flaws internally and do not encourage researchers to report issues, Marcia Hofmann, senior staff attorney at the EFF, said in a blog post Friday. As a result, researchers are often deterred from reporting such issues to companies out of fear of prosecution.
“We hope to see others follow Facebook's lead and go even further,” Hoffman wrote. “The more transparent companies are about their approaches to vulnerability disclosure — and the more they encourage users to come forward — the more often they will learn about problems that need to be fixed.”
Such transparency will ultimately lead to better and more secure services, she said.
The ongoing debate over responsible disclosure gained steam this year when a Google researcher publicly released details about a Windows vulnerability after he was unable to negotiate a timeline for a fix with Microsoft.
Not long after, Microsoft announced a new initiative, known as coordinated vulnerability disclosure, that seeks to align efforts between researchers and vendors.
Google also chimed in, issuing new guidelines that call for vendors to patch bugs within at most 60 days. If they fail to meet an agreed-upon deadline, or if they fail to address the issue, the researcher has the right to publicly disclose details about the vulnerability in question.
Meanwhile, some vendors, such as Google and Mozilla, go so far as to provide researchers cash rewards for vulnerability disclosures, a practice that has garnered mixed reactions among the security community.