As someone who used to work on Facebook open source, that makes sense! After all, an insecure subdomain could lead to all sorts of problems on facebook.com. Phishing, stealing cookies, there's a lot of ways it could go wrong.

Whereas, if one engineer spins up some random static open source documentation website on AWS, it really can't go wrong in a way that causes trouble for the rest of the company.

My initial comment was sardonic but this is a good point.

My IT experiences elsewhere have left me a little jaded. :)

I wasn't aware of that, but it's intriguing! Eager to learn more about subdomains and vulnerabilities - any resources you'd recommend?

Read about the Same origin Policy and Content Security Policy. MDN is a canonical resource for this.

And you would learn that if you don't have wildcard cookies, which I generally wouldn't recommend, subdomains are isolated from each other. But with meta if the brand weren't tarnished, a new domain for subdomains like Google's withgoogle.com and web.dev would be a good place to add sites like this rather than subdomain.facebook.com

Meta isn't a typical corporation, though. Ordinary big company red tape could have stopped them from indirectly displacing thousands based on their religion. (That isn't an outlandish claim but is something they actually got sued for, though it was dismissed without absolving them of it)

It very much is a typical big corp, and OP is correct. It's easier to ship something on a new domain, using AWS and a bunch of contractors, than to add a subdomain to facebook.com or some other top-level domain

Not to mention, the "Ordinary big company red tape" didn't stop Coca Cola from hiring Colombian death squads, Nestle from draining the Great Lakes and selling it back to it's residents, nor Hershey's from making chocolate from cacao farmed with child slave labor.

Relative to the rest of FAANG (or even Fortune 500), Facebook might have the least blood on their hands when everything is said and done.

um... did you sleep through the last 8+ years of handwringing about election interference, Russian / state propaganda, live streaming massacres, addiction / mental health effects of social media, particular for kids? I can't imagine the other FAANGs come close

If platforming disinformation and enabling internet addiction is equivalent to criminal complacency, then Microsoft, Apple, Amazon and Google all have crimes to answer for. Facebook has shit the bed more times than they can count on two hands, but unfortunately that's kinda the table-stakes in big tech.