Meta’s Vulnerability Disclosure Policy
Meta may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software. When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.
That sounds simple and clear-cut. However, vulnerability disclosure is anything but simple. Here is what motivated our policy:
Vulnerability Disclosure Policy
In a nutshell, Meta will contact the appropriate responsible party and inform them as quickly as reasonably possible of a security vulnerability we’ve found. We expect the third party to respond within 21 days to let us know how the issue is being mitigated to protect the impacted people. If we don’t hear back within 21 days after reporting, Meta reserves the right to disclose the vulnerability. If within 90 days after reporting there is no fix or update indicating the issue is being addressed in a reasonable manner, Meta will disclose the vulnerability.
That said, we will adhere to the vulnerability disclosure steps and the proposed timelines whenever reasonably possible, but we can envision scenarios where there might be deviations. If Meta determines that disclosing a security vulnerability in third party code or systems sooner serves to benefit the public or the potentially impacted people, we reserve the right to do so.
Here are some details.
Reporting
Mitigation & Timeline
Disclosure
Additional Disclosure Considerations
Finally, this policy refers to what Meta does when we find an issue in third party code. If you believe you have found a security vulnerability in Meta technologies such as Facebook or Instagram, we encourage you to report it through our Bug Bounty Program.