After realizing that security researchers have suffered from "decades of abuse, threats, and bullying," Dropbox on Wednesday announced it has updated its vulnerability disclosure policy (VDP).
Aiming to make its policy "best-of-breed," Dropbox said it's making the text of its VDP a freely copyable template.
"We've done this because we'd like to see others take a similar approach," Dropbox head of security Chris Evans wrote in a blog post. "We value the open security research community and have taken steps to protect researchers. We expect any company which has security as a priority will do the same."
Evans wrote that Dropbox was motivated to update its policy by "recent events and discussions." He pointed to recent reporting from ZDNet, regarding a lawsuit filed by the password manager software maker Keeper. Keeper sued the publication Ars Technica and its security editor Dan Goodin after a story was posted reporting a vulnerability disclosure. The lawsuit was largely decried by security experts and researchers.
Following those developments, Evans said, Dropbox realized that too few companies "formally commit" to abstaining from abuse against security researchers. He listed specific forms of abuse that should come to an end, including legal threats and inappropriate referral to authorities, public character attacks, laws against good-faith security research, and firing researchers.
Evans laid out eight elements of the updated Dropbox VDP:
Additionally, Evans noted, Dropbox does not gate researchers interested in publishing vulnerability details. "Using policy or bug bounty payments to muzzle or curate scientific publication would be wrong," he wrote.