Facebook has implemented a fresh security vulnerability disclosure policy (VDP) this week – in an effort to explain how it decides when and how to roll out details on various bugs that its team finds in third-party software and open-source projects.
Generally speaking, companies will have 21 days to respond when Facebook files a report; if they don’t, the tech giant “reserves the right” to disclose the bug. If a report is acknowledged, the impacted company then has 90 days (from the time the report is filed) to patch before Facebook goes public.
However, there are exceptions to these guidelines. For instance, if Facebook determines that disclosing a security vulnerability sooner “serves to benefit the public or the potentially impacted people,” it may pull the rip cord on disclosure: For instance, if a bug is being actively exploited in the wild.
The policy also says that Facebook may also disclose early if a patch is validated ready to go, but the project owner delays rollout; and conversely, if a project’s release cycle necessitates a longer window, it may agree to delay disclosure beyond the initial 90-day window.
“Our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems,” the tech giant said, in its recently published VDP. “However…not all bugs are equally sensitive. A high-impact security issue requires much more care before it is publicly disclosed.”
As far as the communication process, the policy dictates that Facebook will first find the appropriate contact (an open-source project-maintainer, say) – and then will contact that person appropriately (via emails, bug trackers, support tickets and so on) to provide a description of the issue found, a statement of Facebook’s VDP and the expected next steps.
Those next steps include the contact acknowledging the report and verifying/replicating the issue (and asking for more information if necessary) before working on a fix to be released within the 90-day window.
“Fixing an issue requires close collaboration between researchers at Facebook reporting the issue and the third party responsible for fixing it,” according to the VDP. “Whenever appropriate, Facebook will work with the responsible contact to establish the nature of the issue and potential fixes. We will share relevant technical details to help expedite the fix.”
On a case-by-case basis, Facebook said it would coordinate disclosure with the impacted developer, either publicly or to specific people or companies using the project, and include/issue a CVE when appropriate.
The news comes as Facebook-owned WhatsApp rolls out its own changes this week. The messaging service has debuted a dedicated advisory page that provides a comprehensive list of WhatsApp security updates and associated CVEs, with descriptions aimed at helping researchers understand the impact of the bugs. WhatsApp said it will keep “with industry best practices” and not disclose security issues until claims have been “fully investigated,” “necessary fixes” issued and updates provided through respective app stores.
Vulnerability disclosure is a hot topic of late, with The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) announcing this week a mandate for federal agencies to implement vulnerability-disclosure policies (VDPs). The move goes hand-in-hand with bug-bounty program goals; the idea is to give ethical hackers clear guidelines for submitting bugs found in government systems, to be rolled out by next March.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.