SoylentNews is people
SoylentNews
from the how-much-glass-is-in-YOUR-house,-Facebook? dept.
Facebook to blab bugs it finds if it thinks code owners aren't fixing fast enough:
Facebook has published its first Vulnerability Disclosure Policy and given itself grounds to blab the existence of bugs to the world if it thinks that's the right thing to do.
"Facebook may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software," the company writes. "When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems."
[...] The company's policy is to contact "the appropriate responsible party" and give them 21 days to respond.
[...] "If we don't hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability," the policy says, adding: "If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Facebook will disclose the vulnerability."
But the company has also outlined exceptions to those rules, with acceleration of disclosure if a bug is already being exploited and slowing down news "If a project's release cycle dictates a longer window."
Too bad they couldn't code and submit patches.
(Score: 3, Touché) by c0lo on Monday September 07 2020, @10:09AM (2 children)
If you manage to find and document vulns, you are bordeline to the ability to fix them.
At the zillions you earn using open source**, invest in a team of generalists able to provide patches. Or else, please do fuck off and read the disclaimer, open source doesn't owe you a thing.
---
** Yes, their do target open source
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2, Offtopic) by Rosco P. Coltrane on Monday September 07 2020, @10:30AM (1 child)
Hmm, no, unless the code in question comes with the source. You can find plenty of vulnerabilities in closed-source code and not be able to do a damn thing about it.
(Score: 2) by c0lo on Monday September 07 2020, @11:12AM
If you are so compulsively attracted to pedantry today, let me pedantically point out that:
1. my "you are borderline to the ability" means I'm not pretending that you are inside the "territory" of the actual ability or you could get there
2. I cited evidence FB intends to apply that policy to the open source software too. In which case they do have access to the source code and nobody but them stop FB from providing the patches.
---
3. even if one has the binary only and no source, theoretically, those binaries still can be patched. Thousands of game crackers in the '90 and '00 showed it is possible. Granted, FB could not legally distribute binary patches, but they can get the ability to protect themselves for longer than 21 days without making public a vuln.
I'm not saying they should keep a team of ethical crackers, just that they have enough other choices to just acting as an entitled mindless 800-pounds gorilla.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by Rosco P. Coltrane on Monday September 07 2020, @10:28AM (2 children)
I so wish one of the many companies that uses FB code serves them a similar ultimatum if they find a vulnerability - because FB isn't anymore immune to code errors than anyone else.
(Score: 2) by RS3 on Monday September 07 2020, @01:12PM
Or just sell the FB vuln on the dark interwebs.
(Score: 2) by FatPhil on Monday September 07 2020, @07:16PM
Samy is my hero.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 5, Insightful) by Rosco P. Coltrane on Monday September 07 2020, @10:39AM (4 children)
What this means is, if you as an open-source programmer who developed, say, a library that FB decides to use, all of the sudden, FB unilaterally decides that you have a contractual support obligation towards them - because "fix your code or else" sounds like a contractual obligation to me.
What an amusing concept: usually open-source projects come with an explicit disclaimer that if you use the code and it craps out on you, you're on your own, and the author can't be held responsible. THAT is the only agreement between FB and you.
I bet it'd be pretty easy to drag them to court and win. But of course, given FB's resources, you'd be broke before you can have your day in court.
(Score: 0) by Anonymous Coward on Monday September 07 2020, @10:56AM
uhm... not legally dubious.
facebook, as user of your free open source disclaimed code has no responsibilities to you. in fact, they are being nice to tell you about the vulnerability, they are being nice in giving you the 21 day and 90 day intervals.
obviously, you have no responsibility to them either, you at most have an interest in fixing your code to the extent that you use it yourself.
I don't see where the law would come in, at least as far as GPL/LGPL code is concerned.
(Score: 2) by c0lo on Monday September 07 2020, @11:44AM (2 children)
There's nothing legally dubious, it's an "contract of adhesion" - take it or leave it [wikipedia.org].
Including the invariably presebt disclaimer of warranty, usually shouting from inside a licence.
Whatever for? For all you (the author of the open source) care, they can broadcast the vuln the moment they discovered it.
You are shielded against damages and cannot claim material damages for something that you offer free; any attempt to sue them is already baseless, so why attempt it?
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by RS3 on Monday September 07 2020, @01:21PM (1 child)
Great insight and I generally agree with you, but playing devil's advocate: you might be able to sue them for character assassination, as long as you can prove they didn't contact you or didn't give you enough time to fix the problem. And even then, I'm not sure that FB gets to decide how much time is reasonable. But I admit I've always had a problem with respecting authority. (big grin) (the sardonic point being that FB is so big and powerful that they're a govt. now...)
(Score: 2) by c0lo on Monday September 07 2020, @02:12PM
IANAL, but beat me if "character assassination" sounds like a legal term that one can base a lawsuit on.
I heard about defamation, but there's a slight problem with that: it's not defamation if it's true.
Didn't contact you or didn't give you enough time? Why do these matter, they aren't legally obliged to. Responsible disclosure [wikipedia.org] is a matter of "professional courtesy", having bogan professional manners is not punishable by any commercial or contractual laws.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 4, Insightful) by Mojibake Tengu on Monday September 07 2020, @11:00AM (7 children)
There is no responsibility in responsible policy.
Just spit it out, immediately:
https://seclists.org/fulldisclosure/ [seclists.org]
A 90 days delay in disclosure only helps state actors and agencies to retain their tailor-made backdoors functioning.
It is an absurd scale, even for corporate bureaucracy.
My limit would be no more than 3 days.
You guys are good in making funny laws about everything, make a law about this.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 0) by Anonymous Coward on Monday September 07 2020, @11:41AM (1 child)
Have some realism, 3 days is pretty damn short for many problems.
(Score: 1, Insightful) by Anonymous Coward on Monday September 07 2020, @06:10PM
It's not about the problems, it's about the victims.
Imagine another Code Red. Three days is a pretty damn long time for a bug that allows a worm to spread around the world in six days.
Immidiate disclosure allows the potential victims to stop using the software, update their firewall rules, pull the ethernet plug or whatever response they determine to be the most appropriate. Any delay only helps the vendor marketing department come up with a story about how it's not a serious problem.
(Score: 3, Disagree) by Bot on Monday September 07 2020, @11:51AM (2 children)
> My limit would be no more than 3 days.
some bugs might require altering protocols. Altering protocols means updating the receivers of those protocols. The receivers might be out of your control. So even in the case of perfectly engineered dev flow, with automated tests and all, 3 days is not a feasible limit. Make it... well, consider the human factors are involved... management wars... denial... make it 90 days.
Account abandoned.
(Score: 2) by Mojibake Tengu on Monday September 07 2020, @12:19PM (1 child)
Altering protocols can be done adaptively: transitional protocol supports both previous and future protocol variant for a limited time period.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 2) by Bot on Monday September 07 2020, @02:58PM
make it 120 days, then :D
Account abandoned.
(Score: 1, Interesting) by Anonymous Coward on Monday September 07 2020, @02:30PM
Rushed bug fixes are worse than leaving the code unfixed and publishing some manner of manual mitigation for the issue. Rushed bug fixes often amount to boilerplating some immediate "cause" away without investigating what's actually going on and pulling that out by the root (in English, the code remains exploitable, only not by the method originally published in the PoC), are seldomly [sufficiently] tested, and as a result lead to more bugs down the line that may be worse than or exacerbate the original issue.
(Score: 3, Insightful) by sjames on Monday September 07 2020, @05:44PM
That depends on the situation. 90 days for a software team working full time in a large corporation is a long time. For a small team also doing other things in a small company, it's may not be all that long. For a hobbyist that's doing the work in spare time (when there IS spare time), it may not be a realistic time-frame, especially if the bug report is incomplete or inaccurate.
(Score: 2) by takyon on Monday September 07 2020, @04:16PM
It's Google Project Zero [theregister.com].
After Microsoft Delays Patch Tuesday, Google Discloses Windows Bug [soylentnews.org]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Monday September 07 2020, @04:55PM (1 child)
90 days is a totally ordinary period of time for vulnerability disclosure. Disclosure is not about embarrassing the author, it is also about ensuring that users of the code can protect themselves, as it can be assumed that the bad guys will, or already have, discovered the same vulnerability. The only reason disclosure is not immediate is so that fixes can be made available in an orderly way.
(Score: 3, Insightful) by sjames on Monday September 07 2020, @05:51PM
Ideally, yes. However, vulnerability reports vary. Everything from claiming a trivial exploit that is indeed trivial to making huge claims that turn out to work one time in a million IFF you have knowledge that no outside attacker will ever have or if the app is doing something that would only be done if you want an exploit to work. Sometimes disclosure is more about accruing cred for the discloser than it is about actually closing a security hole that actually exists.
(Score: 0) by Anonymous Coward on Monday September 07 2020, @06:20PM (3 children)
I see a lot of talk about how 21 days is not enough, and 90 days is the bare minimum. Let me ask you this: Who do you support, the vendor or the users that will be the victims of the bug?
Imagine someone you know has been tested and found to have Covid-19. They are going to parties, ball games, etc, infecting people around them. Would you say that giving them 21 days to get their ass home and self-quarantine is too short a time? Should we allow them 90 days?
Now imagine the same thing, but with another virus that spreads faster than Covid-19. A lot faster. Code Red spread around the world in SIX days. In that time, Covid-19 had barely spread inside Wuhan.
The time we allow the bug to keep infecting people should be shorter for a bug with the potential to become the next Code Red, than it is for Covid-19.
Immediate disclosure allows people to stop using the software, to update their firewall rules, pull the ethernet plug or whatever they deem the best response here and now. Waiting only helps the marketing department spin it as nothing serious, and the bad guys getting a larger botnet.
(Score: 2) by maxwell demon on Monday September 07 2020, @08:41PM (2 children)
Your comparison is not valid. Computer malware is not something that occurs naturally, it is something that humans create. And if you disclose a bug, you not only allow people to take preventive measures, you also enable more people to attack. Moreover, being vulnerable and being infected are two different things.
Indeed, I don't think a one-size-fits-all strategy can work; for each security bug, there should be an individual evaluation whether it should already be disclosed to the public, or secretly be disclosed only to the developers. Note also that some bugs may also allow for an in-between solution: Disclose enough details that people can protect against the bug, but not enough that attackers can immediately use the information to attack. Of course the developers get the full information, so they can fix the bug.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Common Joe on Tuesday September 08 2020, @03:50AM
I fully agree. This idea for an ideal world which we don't live in. I think sjames hit it right on the mark in his two comments (here [soylentnews.org] and here [soylentnews.org]) above. This isn't about disclosing bugs. This is about making Facebook look like it's "taking a strong stance" so they look good to the general public while screwing the little guy and kicking small open source projects run by less than a handful of developers in the teeth.
(Score: 0) by Anonymous Coward on Tuesday September 08 2020, @09:59AM
And... That's what they're doing. Developers have three weeks just to respond and three months to fix it before disclosure.
The window of time is well accepted within the industry and is more than enough time. Developers that don't release a fix in that window of time are not interested in fixing the bug, not unable to.
It is not the Apache or Linux developers, or even the hobbyists that don't get fixes out promptly. It's the big companies with closed source proprietary software.
(Score: 0) by Anonymous Coward on Tuesday September 08 2020, @03:50PM
I honestly don't see a problem with this, assuming that it is applied evenly. If a vendor, whether open or closed source, isn't timely in fixing security bugs then the users need to be warned so they can protect themselves.