Over the past five years, our bug bounty program has become an important part of improving our security posture, as it is now for many large tech companies. Transparency and defending the rights of legitimate researchers are cornerstones of the progress we’ve made, and the world is safer for it. To those outside of the security community, it may seem counterintuitive that you can make your platform safer by encouraging security researchers to attack you, but that’s exactly the value that these programs deliver. This process of discovering and remediating bugs is key to our maintaining a highly secure organization and increasingly hardened product surfaces.
At Dropbox, we encourage, support, and celebrate independent open security research.
One way we do this is via our bug bounty program. We recently tripled our rewards to industry leading values. We also celebrated some of the amazing hacker community results with top-up bonuses, where we retroactively issued additional rewards for particularly unusual, clever, or high-impact findings.
This post, however, is not about bug bounty programs. While a well-run bug bounty program is mandatory for maintaining top-tier security posture, this post is about the foundation on which bug bounty programs are built: the Vulnerability Disclosure Policy (VDP).
We first launched our bug bounty program in 2014, with initial bounties for critical bugs in the range of $5,000, ramping up to (currently) over $10,000 for critical bugs. Over the past three years, leading security researchers from around the world have participated in our programs with some amazing, often original research. Beyond just the individual bugs, we have learned many a lesson, uncovering unique, interesting threats, exploit vectors, and new research as well as rejigged our priorities based on the bug bounty reports. From Dropbox and all our users, a big THANK YOU to all the researchers that help secure Dropbox for our users!
Dropbox is recognizing security researchers for submitting security bugs through a bug bounty program with HackerOne and Bugcrowd. Whether you’re a security bug guru or a complete newbie, we want to make it as easy as possible to submit any bugs you find!
To this end, we’ve compiled the top 5 security bug report tips from our very own Security Engineers:
- Build a stronger report by including information on the actual and potential impact of the vulnerability, as well as details of how it could be exploited.
- Include the methodology you used to find the bug,
Protecting the privacy and security of our users’ information is a top priority for us at Dropbox. In addition to hiring world class experts, we believe it’s important to get all the help we can from the security research community, too. That’s why we’re excited to announce that starting today, we’ll be recognizing security researchers for their effort through a bug bounty program with HackerOne.
Bug bounties (or vulnerability rewards programs) are used by many leading companies to improve the security of their products. These programs provide an incentive for researchers to responsibly disclose software bugs,