Facebook has recently taken numerous security steps toward enhancing app security. These include the launch of a dedicated advisory web page for WhatsApp and the announcement of the Facebook Vulnerability Disclosure Policy for third-party systems.
Facebook’s New Vulnerability Disclosure Policy
Recently, Facebook has announced and implemented a new Vulnerability Disclosure Policy (VDP) for third-party systems. This policy elaborates on how Facebook will proceed with reporting and disclosing bugs that it spots in any third-party apps and open-source projects.
As detailed, Facebook expects to hear back on its bug report from the other party within 21 days from initial disclosure. In case of failure to do so, Facebook reserves the right to disclose the vulnerability publicly.
We expect the third party to respond within 21 days to let us know how the issue is being mitigated to protect the impacted people. If we don’t hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability.
Likewise, Facebook implements a 90-day disclosure period that will lead to public disclosure of bugs in case of no fix.
If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Facebook will disclose the vulnerability.
Though, Facebook has also elaborated that it may deviate from these conditions under certain circumstances. For example, an urgent or actively exploited bug may lead to quick disclosure. Likewise, Facebook may delay the disclosure if required.
Separate WhatsApp Advisory Page
Facebook’s third-party vulnerability disclosure policy arrives alongside another upgrade. Facebook has launched a dedicated advisory page for WhatsApp to disclose all WhatsApp related bugs.
According to Facebook, this step would help the security community to know of the bugs,
Announcing this step in a blog post, the tech giant stated,
Due to the policies and practices of app stores, we cannot always list security advisories within app release notes. This advisory page provides a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE).
Simultaneously, Facebook has also urged users to update their WhatsApp apps whenever updates are available to stay safe.
In August, Facebook has also open-sourced its internal security tool Pysa for us with other frameworks.