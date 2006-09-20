Stories
Facebook to Blab Bugs it Finds if it Thinks Code Owners Aren’t Fixing Fast Enough

upstart writes in with an IRC submission:

Facebook to blab bugs it finds if it thinks code owners aren't fixing fast enough:

Facebook has published its first Vulnerability Disclosure Policy and given itself grounds to blab the existence of bugs to the world if it thinks that's the right thing to do.

"Facebook may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software," the company writes. "When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems."

[...] The company's policy is to contact "the appropriate responsible party" and give them 21 days to respond.

[...] "If we don't hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability," the policy says, adding: "If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Facebook will disclose the vulnerability."

But the company has also outlined exceptions to those rules, with acceleration of disclosure if a bug is already being exploited and slowing down news "If a project's release cycle dictates a longer window."

Too bad they couldn't code and submit patches.

  • (Score: 2) by c0lo on Monday September 07, @10:09AM

    by c0lo (156) Subscriber Badge on Monday September 07, @10:09AM (#1047509) Journal

    If you manage to find and document vulns, you are bordeline to the ability to fix them.
    At the zillions you earn using open source**, invest in a team of generalists able to provide patches. Or else, please do fuck off and read the disclaimer, open source doesn't owe you a thing.

    ** Yes, their do target open source

    Reporting

    Facebook will make a reasonable effort to find the right contact for reporting a vulnerability, such as an open source project maintainer.

(1)