Introducing the Dropbox bug bounty program

Protecting the privacy and security of our users’ information is a top priority for us at Dropbox. In addition to hiring world class experts, we believe it’s important to get all the help we can from the security research community, too. That’s why we’re excited to announce that starting today, we’ll be recognizing security researchers for their effort through a bug bounty program with HackerOne.

Bug bounties (or vulnerability rewards programs) are used by many leading companies to improve the security of their products. These programs provide an incentive for researchers to responsibly disclose software bugs, centralize reporting streams, and ultimately allow security teams to leverage the external community to help keep users safe (something I’ve advocated for in previous research).

While we work with professional firms for pentesting engagements and do our own testing in-house, the independent scrutiny of our applications has been an invaluable resource for our team — allowing our team to tap into the expertise of the broader security community. We’ve recognized the contributions of the researchers we’ve worked with in a public hall of fame, and now we’re very excited to be one of several companies that provide monetary rewards, too. In fact, we’ll be retroactively rewarding researchers who’ve reported critical bugs in our applications through our existing program, paying out $10475 today.

Here are some additional details about the program:

  1. What is the minimum and maximum bounty?
    We do not have an official maximum bounty. The minimum bounty for qualifying bugs is $216 and the maximum bounty that we have paid out till now is $4913.
  2. What if I report a duplicate vulnerability?
    We will reward the first report.
  3. What applications are in scope for this bounty?
    For now, the Dropbox, Carousel, and Mailbox iOS and Android applications; the Dropbox and Carousel web applications; the Dropbox desktop client as well as the Dropbox Core SDK are eligible for the bounty program. We may also reward for novel or particularly interesting bugs in other Dropbox applications.
  4. Are there other rules?
    You can find more details about the rewards program on our HackerOne page.

This is another step in our commitment to security and privacy, which has already been reflected in the recognition and ranking by external organizations like EFF and SSLLabs, as well as our participation and support of organizations like SimplySecure. We look forward to working with security researchers and awarding them for their contributions to the security of all Dropbox users.