Security

What ends with X and won't sue security researchers?

Netflix lures bounty-hunters, Dropbox offers vulnerability research safe harbour

By Richard Chirgwin

3 SHARE

If you listen carefully, you'll hear the sound of a very small ship coming in: Netflix has joined Bugcrowd, offering bounties of up to US$15,000 for vulnerabilities.

The bounty program covers a host of apps and platforms. Netflix Android and iOS mobile apps are included, the various APIs at netflix.com, nine other domains on netflix.com, its *.nflximg.net, nflxext.com, and nflximg.net domains.

Netflix's announcement explained that the Bugcrowd public launch follows a private program initiated in September 2016, which grew from 100 researchers at the start to more than 700 today.

Since the private launch, Netflix has “attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in”, the post said.

Behave, white hats: Netflix's rules state that if you access customer information, you have to stop testing and submit the bug. Researchers should also only launch attacks at their own accounts, and (naturally enough) not hose the Netflix servers.

Stay within the bounty's rules, and Netflix promises not to sue, which is an important consideration in a world where litigation is increasingly deployed to try and silence research rather than fix vulnerabilities.

The company's full vulnerability disclosure terms are here.

Dropbox also on the 'we won't sue' list

Dropbox has also promised it won't sue researchers that play nice. The company today published guidelines to give researchers safe harbour.

Dropbox's Chris Evans wrote that vulnerability researchers have “faced decades of abuse, threats, and bullying”.

Evans has seen it all, apparently, from legal threats, referrals to authorities, attacks on character, abuse of process to gag researchers, and more.

He says Dropbox realised its own disclosure program (at HackerOne) didn't offer enough protection, so it's been updated.

Particularly welcome are promises that America's Computer Fraud and Abuse Act and Digital Millennium Copyright Act won't be deployed against good-faith security research; and if a third party tries to intervene to block research under the Dropbox project, the company will “will make it clear when a researcher was acting in compliance with the policy (and therefore authorised by us)”.

Researchers are instructed that Dropbox won't negotiate bounties under any kind of duress, and asked to give the company reasonable time to roll out fixes. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

More stuff broken amid Microsoft's efforts to fix Meltdown/Spectre vulns

This is going to take a while

Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

If at first you don't succeed, you're Redmond

Azure VMs borked following Meltdown patch, er, meltdown

No ETA yet for West Europe machines

Uber won't face criminal charges after its robo-car killed woman crossing street

Prosecutors mull complaint against the 'safety' driver, tho

Crowdfunded lawyer suing Uber told he can't swerve taxi app giant's £1m legal bill

If you lose, get your cheque book out, High Court judge rules amid two-year legal battle

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

Win 7, Server 2008 'Total Meltdown' exploit lands, pops admin shells

Plus: Xen admins – you need to get patching your patches, too

France next up behind Britain, Netherlands to pummel Uber with €400k fine over 2016 breach

Dara and pals told to hand over yet another cash wodge for hack it spent $100k covering up

Microsoft patches Windows to cool off Intel's Meltdown – wait, antivirus? Slow your roll

Check your anti-malware tool unless you like BSoDs

Uber fined £385k by ICO for THAT hack of 57m customers' deets

Updated 2.7 million Brits caught up in 'serious failure of data security' says UK data watchdog