Facebook to Blab Bugs it Finds if it Thinks Code Owners Aren’t Fixing Fast Enough
upstart writes in with an IRC submission:
Facebook to blab bugs it finds if it thinks code owners aren't fixing fast enough:
Facebook has published its first Vulnerability Disclosure Policy and given itself grounds to blab the existence of bugs to the world if it thinks that's the right thing to do.
"Facebook may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software," the company writes. "When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems."
[...] The company's policy is to contact "the appropriate responsible party" and give them 21 days to respond.
[...] "If we don't hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability," the policy says, adding: "If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Facebook will disclose the vulnerability."
But the company has also outlined exceptions to those rules, with acceleration of disclosure if a bug is already being exploited and slowing down news "If a project's release cycle dictates a longer window."
Too bad they couldn't code and submit patches.
Read more of this story at SoylentNews.