That said, IBM agreed to give Dropbox at least 90 days to verify the vulnerability — enough time for Dropbox to ensure that those using its SDK had patched their products.