Facebook Could Disclose Any Bugs It Finds on Third-Party Apps in 21 Days

• Facebook introduced a vulnerability disclosure policy, and it leaves software vendors very little room for loitering.
• The social media company warns that they expect a convincing answer within 21 days, otherwise they’ll publish their finding.
• Additionally, there will be special considerations that may shorten or lengthen the disclosure periods.

Facebook has decided to tighten its vulnerability disclosure program’s period and has refreshed its policy on the matter. From now on, when the social media giant finds a security flaw, it will contact the developer and wait 21 days for their response.

If they don’t receive an answer detailing exactly how the vendor is planning to mitigate the discovered problem, or if the response is in any way insufficient, too vague, or plainly wrong, Facebook will publicly disclose the vulnerability.

In addition to this first-line response, Facebook warns that if 90 days have passed after the reporting and the software vendor’s initial assurances and there’s still no fixing patch out, they will again publicly disclose the vulnerability.

The tech company mentions the possibility to make deviations if that is deemed appropriate on a case by case basis, giving the following scenarios as examples:

• The flaw is being already actively exploited in the wild, so an immediate disclosure will help the users protect themselves.
• The fixing patch is ready, but the vendor is delaying its release for no good reason.
• The project’s release cycle dictates a longer window, which happens to fall at a date that goes beyond the 90 days.
• There are other agreements between Facebook and the vendor in place, having a higher priority.
• There are considerations around policy application consistency and being as fair as possible towards all vendors.

If we were to comment on the above, we would say that it’s a positive step taken by Facebook. The set deadlines are pretty reasonable, as 90 days is the standard window of disclosure in the security research industry.

Related: Facebook CEO Takes a Swing at Apple’s ‘Stranglehold’ and ‘Monopoly Rents’

The 21 days term is where things get really pressing, but having three weeks to develop a solid plan on how to mitigate a problem should be a logical expectation to have from software vendors whose products serve hundreds of thousands or even millions of users. When people’s security and privacy is on the line, those responsible should take the matter seriously.

Facebook’s size in the industry renders this new policy an important contribution to the shifting of the dynamics in software development, maintenance, and security. The margins are tightening, and only the firms acting with a certain level of credibility will be allowed to operate in the crowded space. From that perspective, Facebook’s move is certainly welcome.