Facebook to warn third-party developers of vulnerable code

Facebook has announced a policy change that will see the company notify third-party developers if it finds a security vulnerability in their code.

In a blog post announcing the change,Facebook said it “may occasionally find” critical bugs and vulnerabilities in third-party code and systems. “When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.”

Facebook has previously notified third-party developers of vulnerabilities, but the policy shift formally codifies the company’s policy toward disclosing and revealing security vulnerabilities.

Vulnerability disclosure programs, or VDPs, allow companies to set the rules of engagement for finding and disclosing security bugs. VDPs also help guide the disclosure and publication of vulnerabilities once a bug is fixed. Companies often use a bug bounty to pay hackers who follow the company’s reporting and disclosure rules.

The policy change is not entirely altruistic. Facebook, like many other tech companies, relies on a ton of third-party code and open-source libraries. But by putting the change in writing, it also puts third-party developers on notice if they don’t fix vulnerabilities in a timely fashion.

Casey Ellis, founder and chief technology officer at vulnerability disclosure platform Bugcrowd, said the policy shift was becoming increasingly popular for companies with a “large, user-centric, third-party attack surface,” and echoes similar efforts by Atlassian, Google and Microsoft.

Facebook said when it finds a vulnerability, it will give third-party developers 21 days to respond and 90 days to fix the issues, a widely accepted time frame to report and remediate security issues. The company says it will make a reasonable effort to find the right contact for reporting a vulnerability, including, but not limited to, emailing security reporting emails, filing bugs without confidential details in bug trackers or filing support tickets. But the company said it reserves the right to disclose sooner if the vulnerability is actively being exploited by hackers, or delay its disclosure if it’s agreed that more time is needed to fix an issue.

Facebook said it will generally not sign a non-disclosure agreement (NDA) specific to the security issues it reports.

Katie Moussouris, founder of Luta Security, told TechCrunch that the “devil will be in the details.”

“The test will be the first time they have to pull the trigger and drop a zero-day — with mitigation guidance — on a competitor,” she said, referring to unpatched vulnerabilities where companies have zero days to patch them.

The new policy is focused specifically on how Facebook handles disclosure of issues in third-party code. If researchers find a security vulnerability on Facebook, or within its family of apps, they will continue to report it through the existing Bug Bounty Program.

As part of the policy change, Facebook said it would also disclose vulnerabilities once they are fixed. In a separate blog post, Facebook, which owns WhatsApp, disclosed six vulnerabilities in the messaging app — since fixed.