Security

What ends with X and won't sue security researchers?

Netflix lures bounty-hunters, Dropbox offers vulnerability research safe harbour

By Richard Chirgwin

3 SHARE

If you listen carefully, you'll hear the sound of a very small ship coming in: Netflix has joined Bugcrowd, offering bounties of up to US$15,000 for vulnerabilities.

The bounty program covers a host of apps and platforms. Netflix Android and iOS mobile apps are included, the various APIs at netflix.com, nine other domains on netflix.com, its *.nflximg.net, nflxext.com, and nflximg.net domains.

Netflix's announcement explained that the Bugcrowd public launch follows a private program initiated in September 2016, which grew from 100 researchers at the start to more than 700 today.

Since the private launch, Netflix has “attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in”, the post said.

Behave, white hats: Netflix's rules state that if you access customer information, you have to stop testing and submit the bug. Researchers should also only launch attacks at their own accounts, and (naturally enough) not hose the Netflix servers.

Stay within the bounty's rules, and Netflix promises not to sue, which is an important consideration in a world where litigation is increasingly deployed to try and silence research rather than fix vulnerabilities.

The company's full vulnerability disclosure terms are here.

Dropbox also on the 'we won't sue' list

Dropbox has also promised it won't sue researchers that play nice. The company today published guidelines to give researchers safe harbour.

Dropbox's Chris Evans wrote that vulnerability researchers have “faced decades of abuse, threats, and bullying”.

Evans has seen it all, apparently, from legal threats, referrals to authorities, attacks on character, abuse of process to gag researchers, and more.

He says Dropbox realised its own disclosure program (at HackerOne) didn't offer enough protection, so it's been updated.

Particularly welcome are promises that America's Computer Fraud and Abuse Act and Digital Millennium Copyright Act won't be deployed against good-faith security research; and if a third party tries to intervene to block research under the Dropbox project, the company will “will make it clear when a researcher was acting in compliance with the policy (and therefore authorised by us)”.

Researchers are instructed that Dropbox won't negotiate bounties under any kind of duress, and asked to give the company reasonable time to roll out fixes. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Uber JUMPs at chance to dump load of electric bikes across Islington

Trial starts in London borough with £25 fine for crap parking

Silence of the vans: Uber adds 'Plz STFU, driver' button to app for posh passengers using Black

Low wages and job insecurity, with an added hint of dehumanizing social control

What's that? Uber isn't actually worth $82bn? Reverse-gear IPO shows the gig (economy) is up

Debut skids off the road as people reluctantly admit they hoped everyone else's stupidity would help them cash out

What's a billion dollars between friends? Uber tosses match on mound of cash in first results since going public

Stock prices take predictable battering

Stop us if you're getting deja-vu: Uber used spyware to nobble dial-a-ride rival, this time Down Under, allegedly

Aussie media claims Silicon Valley giant used surveillance tool to torpedo competitor

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

Uber won't face criminal charges after its robo-car killed woman crossing street

Prosecutors mull complaint against the 'safety' driver, tho

Crowdfunded lawyer suing Uber told he can't swerve taxi app giant's £1m legal bill

If you lose, get your cheque book out, High Court judge rules amid two-year legal battle

Uber, Lyft rides among the biggest reasons why you're probably sitting in traffic right now – study

Maybe Wednesday's strike helped a bit

Uber 'does not exist any more' says Turkish president

Authorities start rounding up ride share drivers, passengers