Facebook has published its first Vulnerability Disclosure Policy and given itself grounds to blab the existence of bugs to the world if it thinks that’s the right thing to do.
“Facebook may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software,” the company writes. “When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.”
The Social Network™ has made itself the arbiter of what needs to be disclosed and when it needs to be disclosed. The company’s policy is to contact “the appropriate responsible party” and give them 21 days to respond.
“Facebook will evaluate based on our interpretation of the risk to people.”
“If we don’t hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability,” the policy says, adding: “If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Facebook will disclose the vulnerability.”
But the company has also outlined exceptions to those rules, with acceleration of disclosure if a bug is already being exploited and slowing down news “If a project’s release cycle dictates a longer window.”
The third reason is:
“If a fix is ready and has been validated, but the project owner unnecessarily delays rolling out the fix, we might initiate the disclosure prior to the 90-day deadline when the delay might adversely impact the public.”
Facebook “will evaluate each issue on a case-by-case basis based on our interpretation of the risk to people.”
The policy isn’t wildly difficult from that used by Google’s Project Zero, which also discloses bugs after 90 days and also offers extensions under some circumstances.