Facebook announced a change to its policy, according to which the company will notify third-party developers if it finds a security vulnerability in their code. Facebook admitted that it “can sometimes detect” critical bugs and vulnerabilities in third-party code and systems, TechCrunch reports.
The company has previously reported vulnerabilities to third-party developers, but the policy change formally codifies the company’s policy regarding the disclosure and identification of security vulnerabilities.
Vulnerability Disclosure Programs, or VDPs, enable companies to establish communication rules for finding and disclosing security bugs. VDPs also help to disclose and publish vulnerabilities after bug fixes. Companies often use bug bounties to pay hackers who abide by the company’s reporting and disclosure policies.
The policy change is not entirely altruistic. Facebook, like many other tech companies, relies on a ton of third-party code and open source libraries. But the written change also warns third parties if they don’t fix vulnerabilities in a timely manner.
Casey Ellis, founder, and CTO of the Bugcrowd vulnerability discovery platform said the policy change is becoming increasingly popular for companies with a “large, user-centric third-party attack surface,” and echoes similar moves by Atlassian, Google, and Microsoft.
Facebook said that if a vulnerability is found, third-party developers will be given 21 days to respond and 90 days to fix issues – the generally accepted time frame for reporting and fixing security issues. The company declares that it will use reasonable efforts to find a suitable contact to report the vulnerability, including but not limited to sending email messages with security reports, logging non-confidential bugs with bug trackers, or filling out support tickets. But the company said it reserves the right to report early if a vulnerability is actively exploited by hackers, or postpone disclosure if it agrees it takes longer to fix the problem.
The new policy focuses on how Facebook handles issue disclosures in third-party code. If researchers discover a security vulnerability in Facebook or its family of apps, they will continue to report it through the existing Bug Bounty program.