Dropbox sets vulnerability disclosure policy to protect security technician's rights

ByIan Lamont

online storageI am operating a serviceDropboxWe are implementing a vulnerability incentive system, and we have introduced a system that pays a maximum of approximately 33,000 dollars (approximately 3.5 million yen) depending on the content of the report. However, Dropbox points out that security researchers in recent years have litigated "victimizing corporations" by disclosing vulnerability information, which is preventing the development of security technology . Therefore, Dropbox updated the vulnerability disclosure policy (VDP) for protecting security researchers and made it into a template so that it can be used by other companies.

Protecting Security Researchers | Dropbox Tech Blog
https://blogs.dropbox.com/tech/2018/03/protecting-security-researchers/

According to Dropbox, it explains that the following risks exist in publications, research, reports, etc. regarding security.

· Risks to be filed lawsuits
· Risk that is openly condemned to "act of exposing vulnerability" and "personality of researcher"
· Risks that security research that should have been done in good faith is erroneously interpreted by law and recognized as a criminal act
· Threatens researchers by misusing legislation or business so that research results and others can not be disclosed

Dropbox raises the question that these risks will interfere with the security community's activities leading to the development of security technology. Recently, Dropbox seems to be feeling a sense of incompatibility with the increasing number of companies that take actions that can be taken as the above-mentioned intimidation acts, as media that reported vulnerabilities of password management tools have been sued by manufacturers .

ByAdrian Scottow

Therefore, Dropbox started changing the VDP and has added the following eight provisions in order to protect security engineers.

1. Writing external security research is clearly stated
2. Security studies conducted based on this VDP should not take legal action even if damage to Dropbox is given
3.Computer Crime Control Act (CFAA)We stipulate that it is a legitimate act if it conforms to this VDP
4. If it is an action conforming to this VDP,Digital Millennium Copyright Act (DMCA)Do not let the researcher bear the responsibility as a copyright infringement act by
5. If a third party initiates legal action, prove that the researcher acts in accordance with the VDP and is an action authorized by Dropbox
6. Dropbox does not present unreasonably low amount or negotiate with payment of incentive
7. If researchers inadvertently access data that is not related to vulnerability, such as confidential information of the system, Dropbox instructs appropriate measures
8. Do not release the information until the dropbox has passed the time required for the vulnerability countermeasure

Dropbox says he will not use bug incentives as researcher's spell. In order to show this, VDP has the minimum limitation on disclosure of vulnerability information and it seems that there is no restriction on disclosure of information if the period of vulnerability correspondence has passed. And, Dropbox has released itVDPIs also a content which can be used as a template so that it can be diverted easily by other companies, so it seems that many companies can adopt it.

Dropbox explains that if this VDP is adopted by many companies, security researchers can be protected across the industry, leading to the development of security technology.