The security community has curious norms for social status, when viewed from the outside. This is true of many communities. (A brief sampling: karma on HN looks crazy to Japanese salarymen. An open-floorplan desk closest to the window looks crazy to an American academic. "Your name, in small print, first among three names in a dead-tree publication that no one reads." sounds pretty crazy to most HNers.)
There's very curious mating rituals for selling security consulting. Ask Thomas for the specifics -- he's far better versed in them than I am. Suffice it to say that "I owned X -- here's proof" is very much not of zero value while you're doing that dance.
Well, one obvious answer would be, "don't bother to tell them".
Of course, it's hard to think of what else you might do with a Dropbox web finding. I sort of doubt there's a liquid market in Dropbox vulnerabilities. For one thing, vulnerabilities that do have markets tend to have patch lifecycles longer than "instantaneously fixed as soon as target finds out about vulnerability".
You can also choose to publish on your own website. This buys you not a whole lot more than just informing Dropbox, except to signal to the professional market that you will go out of your way not to help people like Dropbox when you find a bug.
Nobody in the whole wide world is obligated to do free research for Dropbox. That's not what pages like these are meant to imply.
Thanks for the illumination. I don't have any specific issue with dropbox, I am just tired of doing free work for coorporations in return for a small increment in some integer in some databse (hn, reddit or /. karma) when that. Increment isn't worth either money nor is going to get me laid.
Believe it or not. There is also the aspect of civil courage, one willing to protect the others from potential harm. Detectify was born out of the frustration that an overwhelming part of the internet is completely unsecure for users. Usually completely unaware users.
Analogy: It's like you walking by a leaning scaffold with people passing under it. You realize that the scaffold is just a hair's breadth from rambling down, potentially harming a bunch of people. Bounty or not, you report to the authorities or the hard hats. Don't you?
Co-founder @ detectify.com
Happy to be making a buck while hopefully making the interwebz a safer place ;)
There's very curious mating rituals for selling security consulting. Ask Thomas for the specifics -- he's far better versed in them than I am. Suffice it to say that "I owned X -- here's proof" is very much not of zero value while you're doing that dance.