Netflix and Dropbox have both noted recently that they won’t sue security researchers who find and disclose vulnerabilities in their products. The only caveat is: the researchers must conduct the research in line with their vulnerability disclosure policy and bug bounty program guidelines.
Dropbox Head of Security Chris Evans announced on Wednesday that they’ve updated their vulnerability disclosure policy to clearly say that the company will “not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations,” and that they “won’t bring a Digital Millennium Copyright Act (DMCA) action against a researcher for research consistent with the policy.”
“Anything that stifles open security research is problematic because many of the advances in security that we all enjoy come from the wonderful combined efforts of the security research community,” he pointed out.
“Motivated by recent events and discussions, we’ve realized that too few companies formally commit to avoiding [legal threats, suits, inappropriate referral to authorities, public attacks on researchers’ character or motivation, and pressuring, gagging, or firing researchers by abusing law or business relationships to the detriment of scientific publication].”
The company will consider actions consistent with the policy as constituting “authorized” conduct under the Computer Fraud and Abuse Act (CFAA), and if a third party initiates legal action, Dropbox will make it clear when a researcher was acting in compliance with the policy.
Dropbox is requesting researchers to give them a “reasonable time” to fix the issue before making it public, but Evans noted that that doesn’t mean that the company reserves the right to take forever to fix a security issue.
The policy and other details about the Dropbox’s bug bounty program can be found here.
Netflix has been operating a private bug bounty program since September 2016 and initially invited 100 of Bugcrowd’s top researchers to participate.
The initial scope of the program has been increased considerably since then, and now 700 researchers have been invited to participate in it.
Detailed information about what’s in scope of the program and what isn’t can be found on the here.
What’s important to point out is that the company promises to resolve reported issues quickly and not to bring a lawsuit against researchers or ask law enforcement to investigate them if their research and disclosure conformes to the set bug bounty guidelines.
Netflix allows “coordinated disclosure” for valid, remediated submissions, meaning researchers will have to get explicit permission from the company to disclose information about the found (and fixed) vulnerability.