Facebook said it “may occasionally find” critical bugs and vulnerabilities in third-party code and systems, in a blog post announcing the change. “When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.
Casey Ellis, founder and chief technology officer at vulnerability disclosure platform Bugcrowd, said the policy shift was becoming increasingly popular for companies with a “large, user-centric, third-party attack surface,” and echoes similar efforts by Atlassian, Google, and Microsoft.
Facebook has announced a policy change that will see the company notify third-party developers if it finds a security vulnerability in their code.
Katie Moussouris, founder of Luta Security, told TechCrunch that the “devil will be in the details. “The test will be the first time they have to pull the trigger and drop a zero-day — with mitigation guidance — on a competitor,” she said, referring to unpatched vulnerabilities where companies have zero days to patch them.
Facebook has previously notified third-party developers of vulnerabilities, but the policy shift formally codifies the company’s policy towards disclosing and revealing security vulnerabilities.
Facebook said when it finds a vulnerability, it will give third-party developers 21 days to respond to report and 90 days to fix the issues, a widely accepted timeframe to report and remediate security issues.