Dropbox Bug Bounty Program: Best Practices

Dropbox is recognizing security researchers for submitting security bugs through a bug bounty program with HackerOne and Bugcrowd. Whether you’re a security bug guru or a complete newbie, we want to make it as easy as possible to submit any bugs you find!

To this end, we’ve compiled the top 5 security bug report tips from our very own Security Engineers:

  1. Build a stronger report by including information on the actual and potential impact of the vulnerability, as well as details of how it could be exploited.
  2. Include the methodology you used to find the bug, and the steps to reproduce it.
  3. Please submit your results only after you’ve ensured that your bug is verified.
  4. Submit the report in your native language if you don’t feel comfortable submitting it in English.
  5. Make sure that you gain reputation!

If you’re wondering what a good bug report looks like, here’s an example:

https://hackerone.com/reports/56828

This report has a clear and concise bug description. The impact of the bug is highlighted and includes actual/potential impact, and it has step-by-step instructions on how to reproduce the vulnerability. Including these details will help make your bug report as useful as possible to us, and increase the chances of us using your report.