This is the major takeaway point. More and more shady companies in the past few years have been starting to file lawsuits and take legal action against researchers who they declare went out of scope, or just outright broke the law by doing research and disclosure against their software/device/product. These companies are trying to stifle legitimate security research because they are too lazy or ignorant to fix their problems. It's nice to see such a large entity taking a public stance on how they feel bug bounties and general security research should operate.
Long story short: they didn't sue him. Their legal demanded that he delete DJI IP and secrets. It wasn't a friendly demand, but that's all it looks like it was.
The irony in this story couldn't be bigger:
- He is a Russian who exercised free speech in the US, and got arrested right there. Imagine that happening with the roles of US and Russia reversed!
- He was only dropped from prosecution in exchange for agreeing to testify and to leave the US. Again, imagine that happening with the roles of US and Russia reversed!
- He essentially provided free research, sharing their findings with the public, instead of abusing them in private.
- It was not even a serious security issue. It was just a flaw in a system which nobody expected to work for long anyway. (Really, how could copy protection ever work without exercising full control over all audio and video hardware? And even those could be reverse engineered over time.)
- Plain copyright law was sufficient to cause all that trouble for him. No computer security laws or homeland security laws were needed.
Charging him under the CFAA was a ridiculous abuse of that law
1. Keeper is suing Dan Goodin, a reporter, for (I think?) defamation. (Keeper is evil and you should never use them, but they're not pursuing the researcher under CFAA or DMCA).
2. Chris Vickery found a database backup of a whole company, analyzed it and found that they were shady, and published directly from the database backup. That's not really vulnerability research, and is a bit akin to finding a vulnerability and then using it to dump an account table to Pastebin.
3. PwC C&D'd (but didn't sue) a firm called ESNC. The software ESNC was testing was available only under an NDA license; I assume ENSC got access transitively through a client. This happens a lot in enterprise pentesting. ESNC published anyways, and nothing happened.
4. DJI rescinded KF's authorization to continue testing when he refused to accept the terms of a bounty (which included both disclosure limitations [which may or may not have been reasonable] and a promise not to do post-compromise pivoting [which is entirely DJI's prerogative]). KF rejects the bounty terms, and DJI legal gets involved and demands that he delete any DJI IP or secrets he's taken. This is unfriendly, but not a lawsuit.
Maybe a better way to put it: it's hard to see how any of the examples in this article would be addressed by Dropbox's VDP.
Given the rather asymmetric nature of the power in these interactions, even something as simple as just being responded to with a legal letterhead rather than an email from the security department has a stifling effect I'd argue.
That's hugely important if you want bug bounty programs to appeal to people who are distrusting of federal prosecutors and the FBI.
Without it, there's a lot of anxiety and uncertainty with testing live systems.
It's possible that GP meant giving independent researchers access to internal tools. That would be interesting but also very difficult to pull off safely.
A few years ago I was testing a service acquired by Dropbox and they updated the scope of the Dropbox acquisitions program on HackerOne to exclude said program while I was in the middle of testing it and I didn't notice (checked later with the "last updated" diff). Unfortunately the vulnerabilitie(s) I discovered didn't count and their reply was all "no harm, no foul, thanks anyway."
The Google Play Store has a change log.
Websites virtually never have change logs.
I've never used it but I know that it gets updated quite regularly without giving much information :
And as you can see I'm not the only to ask for a changelog about this product :
> thomas l.14 : CHANGE LOOOOOOOOGS !
It is a shame if this announce only concerns the website and not the full environment :(
Minor issue, but it's DMCA-- if someone reading this has edit rights on the page you may want to fix this.
You also broke the guideline asking people not to do the "did you read" thing. It would be good if you'd (re-)read https://news.ycombinator.com/newsguidelines.html and follow them when commenting here.
Turtles all the way down.