Knowledge is Power: Facebook's Exceptional Approach to Vulnerability Disclosure
It's no surprise to EFF members that the Internet is full of security flaws, some of them severe. Yet many Internet companies try to deal with these problems internally, or not at all. They don't encourage outsiders to report flaws discovered when using or testing a website, and may even be hostile toward those who reveal facts they don't want to hear. Well-meaning Internet users are often afraid to tell companies about security flaws they've found — they don't know whether they'll get hearty thanks or slapped with a lawsuit or even criminal prosecution. This tension is unfortunate, because when companies learn what needs to be fixed, their services will be better and their users safer.
Facebook has set itself apart from other Internet companies by recognizing this problem and working to overcome it. The social networking site has become one of the first to publish a policy intended to make those who discover vulnerabilities more comfortable coming forward to report them:
We encourage security researchers who identify security problems to embrace the practice of notifying website security teams of problems and giving them time to fix the problems before making any information public. To make researchers feel comfortable bringing issues to our attention, we have adopted the following responsible reporting policy: If you share details of a security issue with us and give us a reasonable period of time to respond to it before making it public, and in the course of that research made a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service, we will not bring any lawsuit against you or ask law enforcement to investigate you for that research.
EFF was happy to have a small role in helping a researcher report a vulnerability to Facebook recently, and also in improving the policy a bit. We hope to see others follow Facebook's lead and go even further. The more transparent companies are about their approaches to vulnerability disclosure — and the more they encourage users to come forward — the more often they will learn about problems that need to be fixed. To that end, if your company has a good disclosure policy, we'd love to hear about it.
You can report possible security flaws to Facebook here. If you have hesitations about reporting a vulnerability to Facebook or anyone else, let us know and we're happy to discuss your concerns with you.