Updates on the Dropbox Bug Bounty Program

We first launched our bug bounty program in 2014, with initial bounties for critical bugs in the range of $5,000, ramping up to (currently) over $10,000 for critical bugs. Over the past three years, leading security researchers from around the world have participated in our programs with some amazing, often original research. Beyond just the individual bugs, we have learned many a lesson, uncovering unique, interesting threats, exploit vectors, and new research as well as rejigged our priorities based on the bug bounty reports. From Dropbox and all our users, a big THANK YOU to all the researchers that help secure Dropbox for our users!

Today, we’re excited to announce a number of improvements to the program, as well as highlight the progress we’ve made internally, in terms of both response and fix times.

We know that researchers value quick response and rewards. We recently measured our response times since 2014 and learned that 75% of our responses were within 2 days and 2 hours, with the quickest response being around 50 minutes. We have been working hard to improve our responsiveness and our reward latency even more. Over the last 12 months, we’ve drastically reduced our 75th percentile response time to under 16 hours of the report. For high-quality reports, we usually reward as soon as we reproduce the bug. In fact, we have sometimes paid out within minutes of receipt of a bug.

Fastest triage payout tweet
Fast triage payout acknowledgement

Through the bug bounty program, we have found a pool of incredible researchers who consistently do high-quality work. To further encourage such research, we’ve invited these researchers to a VIP program where we provide early access to upcoming features. Since the start of this program, 75% of our VIP reports got responses within 16 hours, and over the last year, we have reduced this time to 9 hours.

Talking to the community, we also know that hackers really value quick resolution of reported bugs. We typically aim to resolve high and critical bugs as soon as possible. We have resolved some bugs in under an hour of the report; for reports with bounties of more than $1,000, we resolved (fixed and out to the world) more than half of them in under 16 days.

Fast bugfix response acknowledgement from Frans Rosen

Dropbox users trust us with some of their most sensitive data, and we work ceaselessly to provide the best possible security for our users. Security researchers participating in our bug bounty program are a critical partner in this effort, and we are excited to announce three new updates to our program.

Tripling bounties

Starting right now, we are delighted to announce that we are more than tripling our bounties, with the reward for critical bugs — for example, bugs that could lead to remote code execution (RCE) on our servers — now topping out at $32,768 and bounties for RCE affecting our desktop/mobile clients at $18,564. To help kickstart this, we have also topped up any critical reports in the last 6 months with the equivalent increased bounty, paying out an additional bounty of over $28,000 for high/critical bugs reported this year.

Special Bonus for Great Research

Additionally, we have instituted a process to review particularly novel, high-quality research submitted to our program. At least twice a year, Dropboxers will go through high-quality submissions and award bonuses. Typical factors going into a decision include quality of report/research, interaction with researcher, and so on. With these bonuses, we also aim to encourage novel research. We just went through submissions this year and awarded an additional $14,000 in bonuses. Here are some examples of interesting bugs that we rewarded:

  1. Neex reported a local file disclosure vulnerability via ffmpeg HLS processing. While the impact on Dropbox was minimal since we sandbox all our video processing, we were impressed with the quality of research in the submitted vector: A video file that reads file contents is a pretty advanced vector.
  2. Mdv reported an XSS in the outbound chat vendor we use on our marketing pages. While the XSS was on the vendor’s domain, we pay based on impact, not based on whose fault it is. Mdv’s report was of a very high quality and thoughtfully explained how the XSS could impact our customers’ security.
  3. Frans reported a mailgun misconfiguration on email.gateway.dropbox.com. We fixed the bug within half an hour of the report. Since this is an unused domain, the impact was low. But, we loved the quality of the report, the clear description of the impact, and identifying issues in integrations is pretty innovative.

Matching donations

We have also started matching bounty donations to charity made through HackerOne. We recently matched a donation to Doctors Without Borders and look forward to supporting many a good cause with this matching.

Dropbox loves partnering with the security researchers to protect our users. Thank you to all the researchers who help make Dropbox secure for everyone!

Devdatta Akhawe manages the bug bounty program at Dropbox on top of his day job as engineering manager of the Product Safety team. If you’re a security researcher interested in participating in our bug bounty program, please contact us on HackerOne. We are also hiring.