Dropbox updated its vulnerability disclosure policy Wednesday, not only looking to clarify its relationship with cybersecurity researchers, but also attempting to set a standard for the rest of the tech industry.
The San Francisco file-hosting company said the move is a response to “decades of abuse, threats, and bullying” against researchers who find and describe bugs in commercial software. Lawsuits are common, and journalists as well as traditional researchers can be caught up in fights over vulnerability disclosures. The highest-profile ongoing lawsuit is Keeper Security’s defamation suit against Ars Technica journalist Dan Goodin about an article that described flaws in Keeper’s password manager.
The new vulnerability disclosure policy lines up with what Amit Elazari, a University of California at Berkeley Law doctoral candidate, has been continuously pushing tech companies to do in recent talks and research. Earlier this month, Elazari successfully lobbied DropBox to further expand the policy including a clause pledging they would not bring a DMCA claim against good faith participants in the bug bounty program.
Dropbox’s new policy — which the company invited others in the industry to use as a template — was updated with the following elements:
- A clear statement that external security research is welcomed.
- A pledge to not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations.
- A clear statement that we consider actions consistent with the policy as constituting “authorized” conduct under the Computer Fraud and Abuse Act (CFAA).
- A pledge that we won’t bring a Digital Millennium Copyright Act (DCMA) action against a researcher for research consistent with the policy.
- A pledge that if a third party initiates legal action, Dropbox will make it clear when a researcher was acting in compliance with the policy (and therefore authorized by us).
- A specific note that we don’t negotiate bounties under duress. (If you find something, tell us immediately with no conditions attached.)
- Specific instructions on what a researcher should do if they inadvertently encounter data not belonging to themselves.
- A request to give us reasonable time to fix an issue before making it public. We do not, and should not, reserve the right to take forever to fix a security issue.
“We’ve done this because we’d like to see others take a similar approach,” Dropbox Head of Security Chris Evans wrote on Wednesday. “We value the open security research community and have taken steps to protect researchers. We expect any company which has security as a priority will do the same.”
The updated policy was received positively by security professionals on social media: