
Protecting Security Researchers - dsr12
https://blogs.dropbox.com/tech/2018/03/protecting-security-researchers/
======
Rotdhizon
"A pledge to not initiate legal action for security research conducted
pursuant to the policy, including good faith, accidental violations."

This is the major takeaway point. More and more shady companies in the past
few years have been starting to file lawsuits and take legal action against
researchers who they declare went out of scope, or just outright broke the law
by doing research and disclosure against their software/device/product. These
companies are trying to stifle legitimate security research because they are
too lazy or ignorant to fix their problems. It's nice to see such a large
entity taking a public stance on how they feel bug bounties and general
security research should operate.

~~~
chatmasta
This is the first I’ve heard of such a widespread problem. Do you have any
examples?

~~~
Rotdhizon
I know there was one about a bug bounty researcher finding massive
vulnerabilities in a chinese companies drones(link below). They then claimed
he went out of scope(he didn't), and threatened to sue him. A few other cases
were reported on zdnet a few months back about some cases like this. Mostly
website/product owners leaving their systems vulnerable after being contacted.
Months/years later some researchers did a public disclosure and the companies
then tried/did take legal action.

[https://news.ycombinator.com/item?id=15721268](https://news.ycombinator.com/item?id=15721268)

~~~
tptacek
I summarized this here:
[https://news.ycombinator.com/item?id=16642155](https://news.ycombinator.com/item?id=16642155)

Long story short: they didn't sue him. Their legal demanded that he delete DJI
IP and secrets. It wasn't a friendly demand, but that's all it looks like it
was.

------
EdOverflow
This is a wonderful thing to see and I hope that more vendors will follow
suit. Amit Elazari [1] has been doing some amazing work in this field
advocating for legal safe harbours for security researchers. She posts regular
reviews of security policies encouraging vendors to help protect security
researchers using #legalbugbounty on Twitter. [2] In fact, it appears that
Amit was responsible for some of the changes to Dropbox' security policy:
[https://twitter.com/d0nutptr/status/973322158351921152](https://twitter.com/d0nutptr/status/973322158351921152).
Well done, Dropbox and Amit!

[1]: [https://twitter.com/AmitElazari](https://twitter.com/AmitElazari)

[2]:
[https://twitter.com/hashtag/legalbugbounty](https://twitter.com/hashtag/legalbugbounty)

------
CiPHPerCoder
> 3\. A clear statement that we consider actions consistent with the policy as
> constituting “authorized” conduct under the Computer Fraud and Abuse Act
> (CFAA).

That's hugely important if you want bug bounty programs to appeal to people
who are distrusting of federal prosecutors and the FBI.

Without it, there's a lot of anxiety and uncertainty with testing live
systems.

------
tptacek
This is an extremely researcher-friendly VDP, and, powerfully, includes
essentially a demand that Dropbox partners adopt comparable VDPs; Facebook did
something similar (but less formally) a few years ago when BlueCoat started
threatening researchers.

------
FlyingLawnmower
At first glance, this seems awesome. I have to applaud Dropbox for their
forward stance here.

~~~
stochastic_monk
Considering their terrible track record for maintaining users’ privacy, I’m
glad they’re taking a step in the right direction.

------
I_am_tiberius
This concerns the bug bounty itself: Is there a Dropbox internal bug bounty
program as well? As data is unencrypted, I assume the biggest thread to
customer data are Dropbox employees.

~~~
notsofastbuddy
I don't know of any company that publicly advertises the bonuses they give (if
any) to employees for finding vulnerabilities in their own software. That
seems more like part of someone's job description.

~~~
jessaustin
Yeah the incentives get very murky very quickly there. One employee might
ignore a vuln now so as to get a bounty for it later. A manager might give a
known vuln-maker code access. Any group of employees might conspire to do
either of those or something else at some remove. An actual attacker might
manipulate any such conspiracy... It might be interesting as a study of Gambit
Roulette, but not as any way to run a firm.

It's possible that GP meant giving independent researchers access to internal
tools. That would be interesting but also very difficult to pull off safely.

------
jtl999
I appreciate the transparency.

A few years ago I was testing a service acquired by Dropbox and they updated
the scope of the Dropbox acquisitions program on HackerOne to exclude said
program while I was in the middle of testing it and I didn't notice (checked
later with the "last updated" diff). Unfortunately the vulnerabilitie(s) I
discovered didn't count and their reply was all "no harm, no foul, thanks
anyway."

------
rhinoceros
On the dropbox security issue, does anyone have a way to get a proper
changelog for new versions? It does not seem to exist.

~~~
paulddraper
New versions of.....?

The Google Play Store has a change log.

Websites virtually never have change logs.

~~~
rhinoceros
Dropbox also provides a desktop application :
[https://www.dropbox.com/help/desktop-web/desktop-
application...](https://www.dropbox.com/help/desktop-web/desktop-application-
overview)

I've never used it but I know that it gets updated quite regularly without
giving much information : [https://www.dropboxforum.com/t5/Desktop-client-
builds/Stable...](https://www.dropboxforum.com/t5/Desktop-client-
builds/Stable-Build-45-4-92/m-p/269194)

And as you can see I'm not the only to ask for a changelog about this product
: > thomas l.14 : CHANGE LOOOOOOOOGS !

edit : It is a shame if this announce only concerns the website and not the
full environment :(

------
debatem1
"A pledge that we won’t bring a Digital Millennium Copyright Act (DCMA) action
against a researcher for research consistent with the policy."

Minor issue, but it's DMCA-- if someone reading this has edit rights on the
page you may want to fix this.

------
numbers
Thank you for posting this, this is what most companies should be push
forward!

------
arca_vorago
It seems like all of these issues are tied to identity. Is there not some
anony0mouse security reporting site ala securedrop?

~~~
patch_collector
It seems like the issue would be for people who want to publish their results,
get paid, and otherwise be able to publicize their accomplishments.

------
jaythvv
This is excellent

------
qrbLPHiKpiux
Justin Shafer

------
braderhart
The best way to get a company to do anything is through public disclosure,
however it is reasonable to reach out to them first, anonymously (so that they
don't sue you or kill you), and hope that they are descent people too.

~~~
Sohcahtoa82
Did you read the link at all? Or did you just see the title and decide you
needed to vomit your opinion?

~~~
dang
Personal attacks will get you banned here. Please don't do this again,
regardless of how empty another comment is.

You also broke the guideline asking people not to do the "did you read" thing.
It would be good if you'd (re-)read
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)
and follow them when commenting here.

~~~
deadbunny
Did you just assume someone hadn't read the posting guidelines?

...

Turtles all the way down.

~~~
dang
I see your point, but the purpose of the awkward "(re-)" bit is to indicate
the opposite.

