Protecting Security Researchers

At Dropbox, we encourage, support, and celebrate independent open security research.

One way we do this is via our bug bounty program. We recently tripled our rewards to industry leading values. We also celebrated some of the amazing hacker community results with top-up bonuses, where we retroactively issued additional rewards for particularly unusual, clever, or high-impact findings.

This post, however, is not about bug bounty programs. While a well-run bug bounty program is mandatory for maintaining top-tier security posture, this post is about the foundation on which bug bounty programs are built: the Vulnerability Disclosure Policy (VDP). It’s possible to have a great VDP without having a bug bounty program, and organizations should start their security journey there.

Unfortunately, open security research, publication, and reporting has faced decades of abuse, threats, and bullying, such as:

1. Legal threats, formal legal suits filed, and inappropriate referral to authorities.
2. Public attacks on character or motivation.
3. Laws that are vague or misguided, and may ban or criminalize good faith security research or publication.
4. Pressuring, gagging, or firing researchers by abusing law or business relationships to the detriment of scientific publication.

Anything that stifles open security research is problematic because many of the advances in security that we all enjoy come from the wonderful combined efforts of the security research community. Motivated by recent events and discussions, we’ve realized that too few companies formally commit to avoiding many of the above behaviors.

Looking at our own VDP, we realized we could do better, and immediately committed to updating our VDP to be best-of-breed. Our updated VDP contains the following elements:

1. A clear statement that external security research is welcomed.
2. A pledge to not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations.
3. A clear statement that we consider actions consistent with the policy as constituting “authorized” conduct under the Computer Fraud and Abuse Act (CFAA).
4. A pledge that we won’t bring a Digital Millennium Copyright Act (DMCA) action against a researcher for research consistent with the policy.
5. A pledge that if a third party initiates legal action, Dropbox will make it clear when a researcher was acting in compliance with the policy (and therefore authorized by us).
6. A specific note that we don’t negotiate bounties under duress. (If you find something, tell us immediately with no conditions attached.)
7. Specific instructions on what a researcher should do if they inadvertently encounter data not belonging to themselves.
8. A request to give us reasonable time to fix an issue before making it public. We do not, and should not, reserve the right to take forever to fix a security issue.

And there’s one thing our VDP does not contain: we don’t gate researchers who wish to publish vulnerability details. Using policy or bug bounty payments to muzzle or curate scientific publication would be wrong.

We’re also happy to announce that all of the text in our VDP is a freely copyable template. We’ve done this because we’d like to see others take a similar approach. We’ve put some effort in to this across our legal and security teams and if you like what you see, please use it. Similarly, if you have improvements to suggest, we’d love to hear from you.

Of course, running a top-notch VDP isn’t just about the formal policy. It’s also about showing respect to researchers. We try and do this in various ways, including via prompt responses, fast payouts, transparency, and open conversations directly with our security engineers. For top bug bounty participants (for Dropbox or just generally), we invite them to visit our offices and give talks, and occasionally set up special internal contracts.

We used some great references when refreshing our VDP and we’d like to give them a shout out here: HackerOne’s VDP guidelines and the US DoJ Cyber Security unit’s VDP framework. We also took into consideration recent Senate testimony of experts in vulnerability disclosure in the role hackers can play in strengthening security.

In order to do our part to expand protections for researchers more broadly, we’re going to take an unfavorable view of potential suppliers who do not have VDPs protective of researchers, or do not have VDPs at all. A missing or restrictive VDP is often a sign of poor security. Conversely, a VDP welcoming arbitrary research and offering researcher protections is usually a sign of a mature security posture.

We value the open security research community and have taken steps to protect researchers. We expect any company which has security as a priority will do the same. We invite the broader industry to join us in these protections and expectations.