Security

What ends with X and won't sue security researchers?

Netflix lures bounty-hunters, Dropbox offers vulnerability research safe harbour


If you listen carefully, you'll hear the sound of a very small ship coming in: Netflix has joined Bugcrowd, offering bounties of up to US$15,000 for vulnerabilities.

The bounty program covers a host of apps and platforms. Netflix Android and iOS mobile apps are included, the various APIs at netflix.com, nine other domains on netflix.com, its *.nflximg.net, nflxext.com, and nflximg.net domains.

Netflix's announcement explained that the Bugcrowd public launch follows a private program initiated in September 2016, which grew from 100 researchers at the start to more than 700 today.

Since the private launch, Netflix has “attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in”, the post said.

Behave, white hats: Netflix's rules state that if you access customer information, you have to stop testing and submit the bug. Researchers should also only launch attacks at their own accounts, and (naturally enough) not hose the Netflix servers.

Stay within the bounty's rules, and Netflix promises not to sue, which is an important consideration in a world where litigation is increasingly deployed to try and silence research rather than fix vulnerabilities.

The company's full vulnerability disclosure terms are here.

Dropbox also on the 'we won't sue' list

Dropbox has also promised it won't sue researchers that play nice. The company today published guidelines to give researchers safe harbour.

Dropbox's Chris Evans wrote that vulnerability researchers have “faced decades of abuse, threats, and bullying”.

Evans has seen it all, apparently, from legal threats, referrals to authorities, attacks on character, abuse of process to gag researchers, and more.

He says Dropbox realised its own disclosure program (at HackerOne) didn't offer enough protection, so it's been updated.

Particularly welcome are promises that America's Computer Fraud and Abuse Act and Digital Millennium Copyright Act won't be deployed against good-faith security research; and if a third party tries to intervene to block research under the Dropbox project, the company will “will make it clear when a researcher was acting in compliance with the policy (and therefore authorised by us)”.

Researchers are instructed that Dropbox won't negotiate bounties under any kind of duress, and asked to give the company reasonable time to roll out fixes. ®

Send us news
3 Comments

Huawei CFO Meng Wanzhou admits lying about Iran deal, gets to go home

US puts charges on ice, extradition attempt halted

Updated Huawei finance chief Meng Wanzhou has reached a deal with the US Justice Department to drop the fraud and conspiracy charges against her in exchange for admitting that she made false statements about her company's business dealings with Iran.

The deferred prosecution agreement will end Uncle Sam's attempt to extradite Meng to the United States. It will allow her to depart Canada, where she has been detained since 2018, and return to China, easing a major source of diplomatic tension between Canada, China, and the US.

After Canadian authorities arrested Meng at the Vancouver airport in December, 2018, on behalf of the Americans, the US Justice Department indicted her and her manufacturing giant for violating US sanctions on Iran by misrepresenting Huawei's relationship with Hong Kong-based Skycom, which operated in Iran.

Continue reading

For the nth time, China bans cryptocurrencies

Coin prices drop after People's Bank reiterates crackdown

China has once again banned cryptocurrencies.

It's not even the first time this month Beijing's done so, let alone the first time ever, yet word of the reiterated crackdown sent coin prices tumbling, which may have been the ultimate goal. After all, China would prefer its citizens use its non-illegal digital yuan.

Bitcoin fell by 5.5 per cent, Ethererum by 7.4 per cent, and Dogecoin by 14.9 per cent, for instance, after this latest announcement and have since rebounded somewhat.

Continue reading

Frustrated dev drops three zero-day vulns affecting Apple iOS 15 after six-month wait

Security Bounty program slammed over 'broken promises'

Upset with Apple's handling of its Security Bounty program, a bug researcher has released proof-of-concept exploit code for three zero-day vulnerabilities in Apple's newly released iOS 15 mobile operating system.

The bug hunter, posting on Thursday to Russia-based IT blog Habr under the name IllusionOfChaos and to Twitter under the same moniker, expressed frustration with Apple's handling of vulnerability reports.

"I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page," the researcher wrote.

Continue reading

Yugabyte's double-decker DBaaS follows Cochroach in distributed RDBMS

Hopes to lure users with promise of relieving operational burden

Distributed relational database Yugabyte has launched a database-as-a-service product following a rush of inspiration from Facebook, Google and the world of FOSS.

While the open-source DBaaS impressed one analyst, it will have to cope with competition from well-funded CockroachDB, which has had its DBaaS on the market for nearly three years.

Yugabyte is sort of a double-decker database. It is inspired by Google Spanner underneath and compatible with PostgreSQL on top. As Yugabyte founder and CTO Karthik Ranganathan, a former Facebook technical lead, explained to The Register earlier this year:

Continue reading

EurekAI... Neural network leads chemists to discover 'four new materials'

All said to conduct lithium atoms, may be useful for electric car batteries

Chemists have discovered four new materials based on ideas generated from a neural network, according to research published in Nature.

Uncovering new materials is challenging. Scientists have to search for combinations of molecules that lead to useful compounds that can be manufactured.

Traditional methods rely on fiddling around with known materials, and although these techniques narrow down the search for materials that work well, they don’t always produce something useful, according to Matt Rosseinsky, a chemistry professor at England's University of Liverpool who co-wrote the research paper.

Continue reading

Scientists took cues from helicopter seeds to invent tiny microchips that float on wind

'Microfliers' could carry sensors to monitor air pollution and more

Video As autumn arrives in the northern hemisphere, scientists have shown how tiny connected semiconductors can be distributed on the wind in a similar way to the seasonal spreading of airborne seeds.

Researchers led by Professor John Rogers of the US's Northwestern University designed printed circuits able to manifest rotational behaviours, as seen in helicopter and spinner seeds, that enhance the stability and flying behaviour.

In a paper published in Nature this week, they argue that simple electronics can be integrated into the designs, with one example containing a circuit to detect airborne particles.

Continue reading

With just over two weeks to go, Microsoft punts Windows 11 to Release Preview

What's that coming over the hill? Is it new hardware? Is it new hardware?

Microsoft has followed up a lacklustre Surface hardware event with a Windows 11 Release Preview for Windows Insiders.

Assuming, of course, those Insiders are possessed of an "eligible PC" – for Microsoft does not appear to be backing down on its vendor-delighting and customer-frustrating hardware requirements for the new operating system.

The build in question is 22000.194, which emerged last week in the Beta Channel to the disappointment of users trying to run Windows 11 on a virtual machine that is not to Microsoft's liking. Its arrival in Release Preview yesterday, just over two weeks from general availability on 5 October, is an indicator that fans should expect little more than patches and updates until then.

Continue reading

Fukushima studies show wildlife is doing nicely without humans, thank you very much

Biodiversity increasing, endangered species gradually returning despite radioactive terror pig presence

Studies of biodiversity around the former Fukushima nuclear power plant in Japan have shown that a decade after the nuclear incident there in March 2011, the local wildlife, at least, is mostly thriving.

The incident at the Fukushima Daiichi site – in which three of the site's six reactors suffered meltdowns due to damage from an earthquake-induced tsunami – was one of only two events in history to be rated at level 7 on the International Nuclear and Radiological Event Scale (the other being Chernobyl).

This scale is not related to the quantity of radioactive material released (although that was considerable), but by the number of people affected by the event. Following the incident, 154,000 people were evacuated from the area surrounding the plant due to the risk of radioactive contamination, a number second only to the 335,000 evacuated from the environs of the Chernobyl plant in 1986.

Continue reading

HPE campaigns against 'cloud first' push in UK public sector

Because HPE does not do public cloud? No, no, it is 'for the good'

Comment Hewlett Packard Enterprise has posted a "UK Public Sector Manifesto" with nine themes, alongside a campaign hyping the value of hybrid cloud.

The bugbear for HPE is that UK government introduced a "cloud first" policy in 2013.

The current version was revised in 2017 but it mandates that central government, when buying new IT services, must consider a cloud solution – and specifically a public cloud, rather than "a community, hybrid or private deployment model" – before any other option.

Continue reading

Tech contractors fume over payday outage at Giant Pay after it sniffs 'suspicious activity'

Technical difficulties, please stand by

Giant Pay – an umbrella company used by contractors across the UK – has confirmed "suspicious activity" on its platform is behind a days-long ongoing outage that has left folk fretting about whether they'll get paid this month.

In an update on its website today, the firm said: "Upon detection of suspicious activity on our network on 22nd September 2021, we immediately assembled a response team including IT data experts and specialist lawyers, and we are currently working with the highest priority to resolve this issue.

"As part of the investigation and as a measure of caution, we have proactively taken our systems offline and suspended all services temporarily." It also confirmed it had contacted regulatory authorities and assured contractors they would get paid.

Continue reading

Parking is expensive. It can cost an arm, a leg, and a Windows licence

Activate Windows and put up a parking lot

Bork!Bork!Bork! Sometimes only the freshest of borks will do, and sometimes the best laid plans of administrators can go awry.

Continue reading