WhatsApp now mad live an advisory page where it will give a “comprehensive list” of “security updates and associated Common Vulnerabilities and Exposures (CVE)”. While the messaging platform does list these vulnerabilities on MITRE, Cert-in and other similar code libraries across the world, its own list will come with more context on the bugs and its fixes.
“The details included in CVE descriptions are meant to help researchers understand technical scenarios and does not imply users were impacted in this manner,” a note from WhatsApp said, suggesting that a lot of the bugs, though reported, don’t impact users.
“WhatsApp also relies on numerous code libraries developed by third parties for various features and we will annotate security updates for these libraries so other developers can make necessary updates,” it said, adding how it was their “policy to notify developers and providers of mobile operating systems about security issues that WhatsApp may identify”.
“We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts. We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available,” the note said.
The listing is live on from September 3 and will be regularly updated. Many other large tech organisations like Microsoft too list the vulnerabilities that have found or have been brought to their notice. Some older CVEs have also been listed on the new WhatsApp advisory page.
Facebook Vulnerability Disclosure Policy
In a related announcement, Facebook has announced its Vulnerability Disclosure Policy wherein it will “contact the appropriate responsible party and inform them as quickly as reasonably possible of a security vulnerability”. The new policy will require the third party to “respond within 21 days to let us know how the issue is being mitigated to protect the impacted people” after which Facebook could “disclose the vulnerability”.
The social network said it “may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software” after which the “priority is to see these issues promptly fixed” and the people impacted informed.
Express Tech is now on Telegram. Click here to join our channel (@expresstechie) and stay updated with the latest tech news
The Facebook post said since not all bugs are equally sensitive, the policy outlined below explains how it handles vulnerability disclosure. And as fixing an issue requires close collaboration between researchers at Facebook and the third party responsible for fixing it, the policy will unambiguously explain the social network’s expectations when it reports issues in third-party code and systems.