Live-hacking Dropbox @ H1-3120

H1-3120 Most Valuable Hacker mrtuxracer (Image source: HackerOne)

In 2018, Dropbox has focused on improving our world-class bug bounty program. From increasing bounties to protecting our researchers, we’re always looking for more creative and meaningful ways to stay ahead of the game when it comes to running this program.

As an example, we recently partnered with HackerOne to host their H1-3120 live-hacking event in Amsterdam. Live-hacking events let participants hack on a target—often in person—submit vulnerabilities, and receive bounties quickly, all during the course of the event. Live-hacking comes with a number of benefits over traditional bug bounty programs, such as real-time communication and relationship building, which makes finding vulnerabilities and receiving bounties much easier. The event was a huge success! We received plenty of stellar reports and doubled the highest amount we’ve ever paid in a single day for bug bounties.

H1-3120 planning

To prepare for the event, we sat down to determine how to get the most value possible out of the short time we had with the hackers. From that discussion, we came up with three objectives:

  • Significantly increase the research scope for the event
  • Provide a fast and efficient communication channel for the participants
  • Offer information and guidance to aid in bug bounty research

Increased scope

Dropbox aims to have one of the most permissive scopes in the bug bounty world. Scope is the predefined set of targets that bug hunters are allowed to test. In addition to Dropbox assets, we’ve begun to migrate some of our external partners into scope as well. For H1-3120, we required more of our vendors to take on the challenge of participating in bug bounty research. Five SaaS vendors we use were placed in scope for the event, with Dropbox handling all of the triage and paying bounties for any reports.

Both HackerOne staff and participants found this exciting. In fact, including vendors as part of the scope for a HackerOne live-hacking event had never been done before. For us, the decision just made sense: when Dropbox engages a vendor who will have access to sensitive Dropbox data, we hold them to very high security standards, including a commitment to welcome scrutiny by Dropbox and other security researchers.

Efficient communication

We wanted to ensure that our H1-3120 participants had the best possible opportunity to find vulnerabilities in Dropbox and our vendors. We made sure that someone was available to field questions over Slack the week prior to the event while the participants were doing reconnaissance. Additionally, we participated in a conference call with the hackers to answer questions and give advice.

Information and guidance

To help participants find more valuable bugs, we decided to show them a handful of vulnerabilities that Dropbox has had in the past as well as highlight places that we think have the highest risk for potential vulnerabilities. By getting more eyes on the least frequently tested parts of Dropbox, we help researchers—and ourselves—make Dropbox more secure.

The event

H1-3120 started off with a flurry of submissions. In the weeks prior, the hackers were already trying to find vulnerabilities in both Dropbox and our vendors. The plethora of submissions at H1-3120 showcased that effort. Within the first 30 minutes of the event, over 50 reports came in ranging from simple information disclosure to cross-site scripting. The hackers even found a remote code execution in the perimeter of one of our vendors!

The Dropbox Security team had a blast meeting researchers, hunting complex vulnerabilities, and improving the security of our product. After the last reward was paid out, Dropbox had distributed more than $80,000 in bounties to researchers at the event, with over $5,000 of that donated to charities.

Conclusion

The real value we’ve experienced from the event is the overall uptick in interest in our bug bounty program. Since H1-3120, we’ve had a 23% increase in submissions per day to our program, including a report from bug hunter detroitsmash with a $9,000 bounty.

In addition our new relationships with the researchers are proving to be invaluable. We’ve had a number of conversations with our more frequent bug bounty participants leading to HackerOne reports that we’ve subsequently awarded on. We’re planning to connect more with our recurring researchers to build on these important relationships.

Dropbox is committed to ensuring our bug bounty program draws the best bug hunting talent from around the world. When friendly hackers find the vulnerabilities before the bad actors do, that’s a huge win for the entire security community. Thanks to all the participants of H1-3120 as well as all the security researchers that send us reports every day!