Facebook Will Now Notify Third Party Developers of Any Vulnerability In Their Code, Along With A Public Disclosure

As Facebook recently has been raining down with important changes in its policies, the turn has now come of third-party developers who would be notified about any security vulnerabilities found in their code.

While announcing the changes, Facebook told that the company would now on and off check for critical bugs or vulnerabilities in codes and systems belonging to the third-party developers. In case, something is found, Facebook would prioritize the issue to be immediately fixed and therefore would also inform the concerned users so that they can either deploy a patch on time or update the whole system.

This is not the first time that Facebook has introduced such a reform as they previously have notified third-party developers about the vulnerabilities from time to time. But with this new policy, the company has brought a major change by also revealing the security vulnerabilities to the affected users.

Vulnerability disclosure programs, or VDPs, usually help companies in setting up a standard rule of engagement in case of any security bug is found and when to disclose it - even in case of the bug being fixed later.

Facebook, like other tech giants including Google and Microsoft rely heavily on third-party code and open-source libraries, hence the policy shift was always just a matter of time.

Upon finding a vulnerability, Facebook will give 21 days to the third-party developer to respond and 90 days to fix the issue - which indeed is a fairly accepted time frame for any such issue. The company is also taking the responsibility of finding the most authentic contact to report the vulnerability to and it will make that happen either with the help of reporting emails or by filing bugs without the inclusion of confidential details in bug trackers or even by filing support tickets.

Furthermore, the policy also clearly states that Facebook reserves the right to disclose the vulnerability as soon as it is being exploited by any hacker and can even give the favor of delaying the disclosure, in case if more time is required to fix the issue.

Facebook has also made it clear to not sign any non-disclosure agreements that relate to any such security issues and the researchers, after finding a vulnerability (even in the family of apps developed by the same source), will report in the Bug Bounty Program.

Prior to this, Facebook has been active in disclosing six vulnerabilities in Whatsapp and fortunately, all of them are now fixed. The good thing, at last, is that Facebook will also make a disclosure about the same vulnerability being fixed once.


Photo: NurPhoto via Getty Images

Read next: Facebook adds cloud storage providers Dropbox and Koofr to its photo and video portability tool

No comments:

Post a Comment