Security

What ends with X and won't sue security researchers?

Netflix lures bounty-hunters, Dropbox offers vulnerability research safe harbour

By Richard Chirgwin

3 SHARE

If you listen carefully, you'll hear the sound of a very small ship coming in: Netflix has joined Bugcrowd, offering bounties of up to US$15,000 for vulnerabilities.

The bounty program covers a host of apps and platforms. Netflix Android and iOS mobile apps are included, the various APIs at netflix.com, nine other domains on netflix.com, its *.nflximg.net, nflxext.com, and nflximg.net domains.

Netflix's announcement explained that the Bugcrowd public launch follows a private program initiated in September 2016, which grew from 100 researchers at the start to more than 700 today.

Since the private launch, Netflix has “attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in”, the post said.

Behave, white hats: Netflix's rules state that if you access customer information, you have to stop testing and submit the bug. Researchers should also only launch attacks at their own accounts, and (naturally enough) not hose the Netflix servers.

Stay within the bounty's rules, and Netflix promises not to sue, which is an important consideration in a world where litigation is increasingly deployed to try and silence research rather than fix vulnerabilities.

The company's full vulnerability disclosure terms are here.

Dropbox also on the 'we won't sue' list

Dropbox has also promised it won't sue researchers that play nice. The company today published guidelines to give researchers safe harbour.

Dropbox's Chris Evans wrote that vulnerability researchers have “faced decades of abuse, threats, and bullying”.

Evans has seen it all, apparently, from legal threats, referrals to authorities, attacks on character, abuse of process to gag researchers, and more.

He says Dropbox realised its own disclosure program (at HackerOne) didn't offer enough protection, so it's been updated.

Particularly welcome are promises that America's Computer Fraud and Abuse Act and Digital Millennium Copyright Act won't be deployed against good-faith security research; and if a third party tries to intervene to block research under the Dropbox project, the company will “will make it clear when a researcher was acting in compliance with the policy (and therefore authorised by us)”.

Researchers are instructed that Dropbox won't negotiate bounties under any kind of duress, and asked to give the company reasonable time to roll out fixes. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Taxi for Uber: Ride-hailing app giant stripped of licence to operate in London

String of failures put passengers at risk, says city transport authority

Don't take Uxbridge, but TfL's given Uber a mini-licence for London

Gets 2 months to prove its bona fides and make regulator Morden happy

Uber forks out $4.4m to settle claims of rampant sexual harassment and retaliation in the Travis Kalanick era

Dial-a-ride dev opens wallet to make complaints vanish

Apple's making some announcements! Quick, lay off 435 Uber workers

Engineers nervously check their personal ride-sharing ratings

Otto man thrown under the bus: 33 crim trade secret theft charges for ex-Uber exec Anthony Levandowski

Former Waymo bigwig in way mo' trouble

Uber JUMPs at chance to dump load of electric bikes across Islington

Trial starts in London borough with £25 fine for crap parking

More stuff broken amid Microsoft's efforts to fix Meltdown/Spectre vulns

This is going to take a while

Silence of the vans: Uber adds 'Plz STFU, driver' button to app for posh passengers using Black

Low wages and job insecurity, with an added hint of dehumanizing social control

Uber CEO compares pedestrian death to murder of Saudi journalist, saying all should be forgiven

Opinion Uber PRs missing the days of Travis Kalanick

What's that? Uber isn't actually worth $82bn? Reverse-gear IPO shows the gig (economy) is up

Debut skids off the road as people reluctantly admit they hoped everyone else's stupidity would help them cash out

Whitepapers

Reduce Redis Enterprise Deployment Cost, Complexity with Intel Optane DC Persistent Memory

Intel has prepared this Optane DC persistent memory kit to help you reduce Redis Enterprise deployments cost and complexity with 2nd generation Intel Xeon scalable processors and Intel Optane DC persistent memory.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

Endpoint Detection and Response

EDR solutions come in a variety of implementations and can vary significantly in scope and efficacy. Choosing the best solution can be challenging.

Network Detection & Response for MITRE ATT&CK Framework

Read the white paper for a high-level view of how enterprise NTA with ExtraHop Reveal(x) detects and enables investigation of a broad range of the TTPs catalogued by MITRE ATT&CK!