Facebook has decided to tighten its vulnerability disclosure program’s period and has refreshed its policy on the matter. From now on, when the social media giant finds a security flaw, it will contact the developer and wait 21 days for their response.
If they don’t receive an answer detailing exactly how the vendor is planning to mitigate the discovered problem, or if the response is in any way insufficient, too vague, or plainly wrong, Facebook will publicly disclose the vulnerability.
In addition to this first-line response, Facebook warns that if 90 days have passed after the reporting and the software vendor’s initial assurances and there’s still no fixing patch out, they will again publicly disclose the vulnerability.
The tech company mentions the possibility to make deviations if that is deemed appropriate on a case by case basis, giving the following scenarios as examples:
If we were to comment on the above, we would say that it’s a positive step taken by Facebook. The set deadlines are pretty reasonable, as 90 days is the standard window of disclosure in the security research industry.
Related: Facebook CEO Takes a Swing at Apple’s ‘Stranglehold’ and ‘Monopoly Rents’
The 21 days term is where things get really pressing, but having three weeks to develop a solid plan on how to mitigate a problem should be a logical expectation to have from software vendors whose products serve hundreds of thousands or even millions of users. When people’s security and privacy is on the line, those responsible should take the matter seriously.
Facebook’s size in the industry renders this new policy an important contribution to the shifting of the dynamics in software development, maintenance, and security. The margins are tightening, and only the firms acting with a certain level of credibility will be allowed to operate in the crowded space. From that perspective, Facebook’s move is certainly welcome.