Dropbox updates its vulnerability disclosure policy to protect researchers

The cloud-based company aims to set an example for other businesses after realizing security researchers have faced "decades of abuse, threats, and bullying"
Written by Stephanie Condon, Senior Writer

After realizing that security researchers have suffered from "decades of abuse, threats, and bullying," Dropbox on Wednesday announced it has updated its vulnerability disclosure policy (VDP).

Aiming to make its policy "best-of-breed," Dropbox said it's making the text of its VDP a freely copyable template.

"We've done this because we'd like to see others take a similar approach," Dropbox head of security Chris Evans wrote in a blog post. "We value the open security research community and have taken steps to protect researchers. We expect any company which has security as a priority will do the same."

Evans wrote that Dropbox was motivated to update its policy by "recent events and discussions." He pointed to recent reporting from ZDNet, regarding a lawsuit filed by the password manager software maker Keeper. Keeper sued the publication Ars Technica and its security editor Dan Goodin after a story was posted reporting a vulnerability disclosure. The lawsuit was largely decried by security experts and researchers.

Following those developments, Evans said, Dropbox realized that too few companies "formally commit" to abstaining from abuse against security researchers. He listed specific forms of abuse that should come to an end, including legal threats and inappropriate referral to authorities, public character attacks, laws against good-faith security research, and firing researchers.

Evans laid out eight elements of the updated Dropbox VDP:

  1. A clear statement that external security research is welcomed.
  2. A pledge to not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations.
  3. A clear statement that we consider actions consistent with the policy as constituting "authorized" conduct under the Computer Fraud and Abuse Act (CFAA).
  4. A pledge that we won't bring a Digital Millennium Copyright Act (DCMA) action against a researcher for research consistent with the policy.
  5. A pledge that if a third party initiates legal action, Dropbox will make it clear when a researcher was acting in compliance with the policy (and therefore authorized by us).
  6. A specific note that we don't negotiate bounties under duress. (If you find something, tell us immediately with no conditions attached.)
  7. Specific instructions on what a researcher should do if they inadvertently encounter data not belonging to themselves.
  8. A request to give us reasonable time to fix an issue before making it public. We do not, and should not, reserve the right to take forever to fix a security issue.

Additionally, Evans noted, Dropbox does not gate researchers interested in publishing vulnerability details. "Using policy or bug bounty payments to muzzle or curate scientific publication would be wrong," he wrote.

Editorial standards