Security

What ends with X and won't sue security researchers?

Netflix lures bounty-hunters, Dropbox offers vulnerability research safe harbour


If you listen carefully, you'll hear the sound of a very small ship coming in: Netflix has joined Bugcrowd, offering bounties of up to US$15,000 for vulnerabilities.

The bounty program covers a host of apps and platforms. Netflix Android and iOS mobile apps are included, the various APIs at netflix.com, nine other domains on netflix.com, its *.nflximg.net, nflxext.com, and nflximg.net domains.

Netflix's announcement explained that the Bugcrowd public launch follows a private program initiated in September 2016, which grew from 100 researchers at the start to more than 700 today.

Since the private launch, Netflix has “attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in”, the post said.

Behave, white hats: Netflix's rules state that if you access customer information, you have to stop testing and submit the bug. Researchers should also only launch attacks at their own accounts, and (naturally enough) not hose the Netflix servers.

Stay within the bounty's rules, and Netflix promises not to sue, which is an important consideration in a world where litigation is increasingly deployed to try and silence research rather than fix vulnerabilities.

The company's full vulnerability disclosure terms are here.

Dropbox also on the 'we won't sue' list

Dropbox has also promised it won't sue researchers that play nice. The company today published guidelines to give researchers safe harbour.

Dropbox's Chris Evans wrote that vulnerability researchers have “faced decades of abuse, threats, and bullying”.

Evans has seen it all, apparently, from legal threats, referrals to authorities, attacks on character, abuse of process to gag researchers, and more.

He says Dropbox realised its own disclosure program (at HackerOne) didn't offer enough protection, so it's been updated.

Particularly welcome are promises that America's Computer Fraud and Abuse Act and Digital Millennium Copyright Act won't be deployed against good-faith security research; and if a third party tries to intervene to block research under the Dropbox project, the company will “will make it clear when a researcher was acting in compliance with the policy (and therefore authorised by us)”.

Researchers are instructed that Dropbox won't negotiate bounties under any kind of duress, and asked to give the company reasonable time to roll out fixes. ®

Send us news
3 Comments

Maximum-severity Cisco vulnerability allows attackers to change admin passwords

You’re going to want to patch this one

No rest for the wiry as Cisco Nexus switches flip out over latest zero-day

Command injection bug being abused by suspected Chinese spies – patch up

Latest Ghostscript vulnerability haunts experts as the next big breach enabler

There's also chatter about whether medium severity scare is actually code red nightmare

RADIUS networking protocol blasted into submission through MD5-based flaw

If someone can do a little MITM'ing and hash cracking, they can log in with no valid password needed

Traeger security bugs bad news for grillers with neighborly beef

Never risk it when it comes to brisket – make sure those updates are applied

Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk

Full system takeovers on the cards, for those with enough patience to pull it off

Juniper Networks flings out emergency patches for perfect 10 router vuln

Get 'em while they're hot

Batten down the hatches, it's time to patch some more MOVEit bugs

Exploit attempts for ‘devastating’ vulnerabilities already underway

CISA says crooks used Ivanti bugs to snoop around high-risk chemical facilities

Crafty crims broke in but encryption stopped any nastiness

Phoenix UEFI flaw puts long list of Intel chips in hot seat

Researchers discuss it in same breath as BlackLotus and MosaicRegressor

That didn't take long: Replacement for SORBS spam blacklist arises ... sort of

Also: Online adoption cyberstalker nabbed; Tesla trade secrets thief pleads guilty; and a critical ASUS Wi-Fi vuln

Emergency patches released for critical vulns impacting EOL Zyxel NAS boxes

That backdoor's not meant to be there?