[tptacek]

Well, one obvious answer would be, "don't bother to tell them".

Of course, it's hard to think of what else you might do with a Dropbox web finding. I sort of doubt there's a liquid market in Dropbox vulnerabilities. For one thing, vulnerabilities that do have markets tend to have patch lifecycles longer than "instantaneously fixed as soon as target finds out about vulnerability".

You can also choose to publish on your own website. This buys you not a whole lot more than just informing Dropbox, except to signal to the professional market that you will go out of your way not to help people like Dropbox when you find a bug.

Nobody in the whole wide world is obligated to do free research for Dropbox. That's not what pages like these are meant to imply.

[tomjen3]

Thanks for the illumination. I don't have any specific issue with dropbox, I am just tired of doing free work for coorporations in return for a small increment in some integer in some databse (hn, reddit or /. karma) when that. Increment isn't worth either money nor is going to get me laid.