What ends with X and won't sue security researchers?
Netflix lures bounty-hunters, Dropbox offers vulnerability research safe harbour
If you listen carefully, you'll hear the sound of a very small ship coming in: Netflix has joined Bugcrowd, offering bounties of up to US$15,000 for vulnerabilities.
The bounty program covers a host of apps and platforms. Netflix Android and iOS mobile apps are included, the various APIs at netflix.com, nine other domains on netflix.com, its *.nflximg.net, nflxext.com, and nflximg.net domains.
Netflix's announcement explained that the Bugcrowd public launch follows a private program initiated in September 2016, which grew from 100 researchers at the start to more than 700 today.
Since the private launch, Netflix has “attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in”, the post said.
Behave, white hats: Netflix's rules state that if you access customer information, you have to stop testing and submit the bug. Researchers should also only launch attacks at their own accounts, and (naturally enough) not hose the Netflix servers.
Stay within the bounty's rules, and Netflix promises not to sue, which is an important consideration in a world where litigation is increasingly deployed to try and silence research rather than fix vulnerabilities.
The company's full vulnerability disclosure terms are here.
Dropbox also on the 'we won't sue' list
Dropbox has also promised it won't sue researchers that play nice. The company today published guidelines to give researchers safe harbour.
Dropbox's Chris Evans wrote that vulnerability researchers have “faced decades of abuse, threats, and bullying”.
Evans has seen it all, apparently, from legal threats, referrals to authorities, attacks on character, abuse of process to gag researchers, and more.
He says Dropbox realised its own disclosure program (at HackerOne) didn't offer enough protection, so it's been updated.
Particularly welcome are promises that America's Computer Fraud and Abuse Act and Digital Millennium Copyright Act won't be deployed against good-faith security research; and if a third party tries to intervene to block research under the Dropbox project, the company will “will make it clear when a researcher was acting in compliance with the policy (and therefore authorised by us)”.
Researchers are instructed that Dropbox won't negotiate bounties under any kind of duress, and asked to give the company reasonable time to roll out fixes. ®