Facebook to notify third parties about vulnerabilities in their codes

Facebook has made a policy change that it will allow the company to notify third party developers when it finds a security vulnerability in their code. Developers have 21 days to acknowledge the notifications with a report and 90 days to fix the vulnerabilities. In case third party developers do not fix it, Facebook will make the bug details available to the public. This new ‘vulnerability disclosure policy’ was implemented to safeguard a fair treatment for all third party developers. Facebook manages hundreds of third party apps and millions of lines of code that provide services to Facebook users around the world. The platform finds security bugs through in-house analysis tools, such as Pysa and Zoncolan. The policy is made to help avoid bugs in third party apps to affect general Facebook users. In the past decade, Facebook has found vulnerabilities in many third party apps, but not all of them were fixed in a timely manner.