Facebook has recognised that it has to encourage more researchers to look into security vulnerabilities, after the social networking giant updated its bug disclosure policy.

Facebook has long encouraged researchers to let the company know about security issues they uncover and give the social networking giant time to address them before going public. However, due to its wording, there was concern the previous policy could give the impression bug submitters could be victims of retaliatory action.

“This was a change to clarify the language in an existing policy so that security researchers feel more comfortable working with us when they find a vulnerability,” explained Ryan McGeehan, manager of security incident response for Facebook. “This was a change to clarify the language in an existing policy so that security researchers feel more comfortable working with us when they find a vulnerability.”

Change Needed

“The previous version could have been read to mean that we might take enforcement action against someone for researching and discovering a bug,” he added. “This wasn’t our intention, and so we’ve changed it to read less strictly. We made the change about a week and a half ago.”

The new policy states that: “If you share details of a security issue with us and give us a reasonable period of time to respond to it before making it public, and in the course of that research made a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service, we will not bring any lawsuit against you or ask law enforcement to investigate you for that research.”

The issue of responsibility disclosure has continued to be a point of contention in the security community. Some vendors, such as Google and Mozilla, have taken to offering monetary rewards as incentives for researchers to share bugs in their products directly with them.

Legal Fears

“Well-meaning Internet users are often afraid to tell companies about security flaws they’ve found – they don’t know whether they’ll get hearty thanks or slapped with a lawsuit or even criminal prosecution,” blogged Marcia Hofmann, senior staff attorney with the Electronic Frontier Foundation (EFF). “This tension is unfortunate, because when companies learn what needs to be fixed, their services will be better and their users safer.”

Facebook worked with the EFF to draft the new policy, McGeehan said.

“Security is a top priority for us, and we invest lots of resources in protecting our site and the people who use it from attacks,” he said. “Like any web service as complex as Facebook, however, we occasionally have a vulnerability in our code. We hire the most qualified and highly-skilled engineers and security professionals we can find, but we also know that there’s an entire community of very smart and talented security researchers outside Facebook who want to do the right thing. This policy allows that community to work with us more easily so we can fix vulnerabilities quickly and before they’re exploited.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

View Comments

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

21 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

22 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

22 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

1 day ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

1 day ago