Dropbox makes changes to its vulnerability disclosure policy

Cybersecurity researchers have faced decades of threats, bullying, and abuse. Dropbox has recognised this and updated their vulnerability disclosure policy to protect their interests and prevent this from happening.

Chris Evans, the head of security at Dropbox, wants other organisations to take a similar approach. He revealed that the latest changes were inspired by recent events and discussions, pointing at the Keeper suing Ars Technica as one example. He believes that forms of abuse such as public character attacks, inappropriate referral to authorities, legal threats, firing researchers, and laws against good faith security research should come to an end.

Specifically, the updated vulnerability disclosure policy covers the following areas:

  1. Dropbox does not negotiate bounties under duress. Any discoveries should be reported immediately, without the naming of any conditions.
  2. Making it clear that external cybersecurity research is a good thing.
  3. The company won’t resort to DMCA action against a researcher if that person respects and follows the policy.
  4. No legal action will be taken against researchers who respect the policy.
  5. There are specific instructions on what a researcher should do if inadvertently encountering data belonging to someone else.
  6. Actions defined within the policy are considered as authorised conduct under CFAA.
  7. When a third party pursues legal action, Dropbox will make it clear when a researcher was being compliant with the policy.
  8. A researcher needs to give Dropbox reasonable time to fix any cybersecurity vulnerabilities before going public, while making it clear they will never take an indefinite amount of time for doing so.