Facebook Updates Security Bug Disclosure Policy

Facebook has re-worded its vulnerability disclosure policy to calm fears bug submitters would be subject to legal action.

Facebook has updated its bug disclosure policy in a bid to get more researchers to come forward with security vulnerabilities.

Facebook has long encouraged researchers to let the company know about security issues they uncover and give the social networking giant time to address them before going public. However, due to its wording, there was concern the previous policy could give the impression bug submitters could be victims of retaliatory action.

"This was a change to clarify the language in an existing policy so that security researchers feel more comfortable working with us when they find a vulnerability," explained Ryan McGeehan, manager of security incident response for Facebook. "This was a change to clarify the language in an existing policy so that security researchers feel more comfortable working with us when they find a vulnerability."

"The previous version could have been read to mean that we might take enforcement action against someone for researching and discovering a bug," he added. "This wasn't our intention, and so we've changed it to read less strictly. We made the change about a week and a half ago."

The new policy states that: "If you share details of a security issue with us and give us a reasonable period of time to respond to it before making it public, and in the course of that research made a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service, we will not bring any lawsuit against you or ask law enforcement to investigate you for that research."

The issue of responsibility disclosure has continued to be a point of contention in the security community. Some vendors, such as Google and Mozilla, have taken to offering monetary rewards as incentives for researchers to share bugs in their products directly with them.

"Well-meaning Internet users are often afraid to tell companies about security flaws they've found - they don't know whether they'll get hearty thanks or slapped with a lawsuit or even criminal prosecution," blogged Marcia Hofmann, senior staff attorney with the Electronic Frontier Foundation (EFF). "This tension is unfortunate, because when companies learn what needs to be fixed, their services will be better and their users safer."

Facebook worked with the EFF to draft the new policy, McGeehan said.

"Security is a top priority for us, and we invest lots of resources in protecting our site and the people who use it from attacks," he said. "Like any web service as complex as Facebook, however, we occasionally have a vulnerability in our code. We hire the most qualified and highly-skilled engineers and security professionals we can find, but we also know that there's an entire community of very smart and talented security researchers outside Facebook who want to do the right thing. This policy allows that community to work with us more easily so we can fix vulnerabilities quickly and before they're exploited."