Facebook has often been criticized for its non-disclosures across various verticals and policies. However, now it seems that Facebook is finally correcting itself by means of adopting its first Vulnerability Disclosure Policy (VDP). This VDP has been specifically designed for vulnerability reporting of third-party code and systems. Unpatched third-party vulnerabilities often directly or indirectly impact Facebook’s overall performance and security. Thus, it is one of Facebook’s top priorities to get this fixed and the VDP takes care of this.
Facebook’s Vulnerability Disclosure Policy in a Nutshell
The idea behind this policy comes from Facebook’s ideology that “not all bugs are equally sensitive” and “fixing an issue requires close collaboration between researchers at Facebook reporting the issue and the third-party (engineers) responsible for fixing it”.
Facebook said that it will contact the concerned third-party with any security issue that their researchers have found, to which the third-party is obligated to respond within the next 21 days. The response must include the mitigation steps being taken to fix the issue and the security of the impacted people. If the third-party fails to respond within 21 days, the social media giant would reserve the right to disclose the said vulnerability on a public forum so that affected people can take necessary actions.
Similarly, even after the receipt of response, if the third-party fails to fix the vulnerability within the next 90 days, Facebook would again reserve the right to go public about the vulnerability. Facebook, however, also takes into consideration that certain vulnerabilities can take a longer period to be sorted and hence, there could be “some deviations from the actual timeline,” but this change is solely at their disposal.
Facebook’s Other Baby
Facebook’s other company, WhatsApp, also got itself a new channel to publish its security updates. WhatsApp Security Advisories is a directory designed to increase transparency by providing information on all the vulnerabilities addressed in the messaging service provider’s mobile and web applications. This page displays a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVEs).
Coincidentally, just a couple of days ago CISA issued directives to government agencies for implementing VDP at the earliest. It has acknowledged that this form of security is for the “public good” and thus stands strongest when the “good faith” security researchers and various governmental organizations collaborate in fortifying the defenses. However, the basis of this can only be laid on the strong foundation of a formal policy that helps finding and reporting of vulnerabilities in a legally authorized manner. Thus, to ease this process for the researchers, CISA recommends VDP to be defined across governmental agencies.