Facebook To Warn Third-party Developers Against Insecure Code

Facebook's Vulnerability Disclosure Policy ensures that the company notifies third-party developers if it finds a security vulnerability in their code.

Facebook is making a policy change that will ensure that the company notifies third-party developers if it finds a security vulnerability in their code.
 
Facebook has already been notifying third-party developers of vulnerabilities, but the policy change formally codifies Facebook’s policy toward disclosing and revealing security vulnerabilities.
 
Facebook said that it may sometime find severe bugs and vulnerabilities in third-party code and systems "When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems."
 
 
Source: Facebook
 
Vulnerability disclosure programs help organizations to set the rules of engagement for finding and disclosing security bugs. These programs also help guide the disclosure and publication of vulnerabilities once a bug is fixed. Organizations often use a bug bounty to pay hackers who follow the company’s reporting and disclosure rules.
 
If Facebook discovers a vulnerability, the new policy gives third-party developers 21 days to respond and 90 days to fix the issues.
 
Facebook said that it will make a reasonable effort to get the right contact for reporting a vulnerability, including emailing security reporting emails, filing bugs without confidential details in bug trackers, or filing support tickets.