Social networking behemoth Facebook revised their bug disclosure policy last week to
protect well-intentioned vulnerability researchers from potential lawsuits
stemming from their discoveries.
The revisions, which were made with the assistance of the Electronic Frontier Foundation, are part of Facebooks’ new Responsible Disclosure Policy.The update establishes a Facebook policy whereby security researches are offered immunity from civil and criminal prosecution if they are in the process of disclosing a bug to Facebook.
updated policy is similar
to bug bounty programs Google and Mozilla have proposed, albeit a bit more
pessimistic.It allows a “reasonable period of time [for Facebook] to respond to
[the bug]” before researchers make it public. Vulnerability researchers are protected from prosecution if, in the course of their research
they “…[make] a good faith effort to avoid privacy violations, destruction of
data, or interruption or degradation of our service.”
According to a Deeplink blog post by Marcia Hoffmann on the
Electronic Frontier Foundation’s website, Facebook’s new policy denotes a shift
former policies and those of other organizations that discourage “Well-meaning Internet users,”
who “are often afraid to tell companies about security flaws they’ve found
[because] they don’t know whether they’ll get hearty thanks or slapped with a
lawsuit or even criminal prosecution.”