At Dropbox, we encourage, support, and celebrate independent open security research.
One way we do this is via our bug bounty program. We recently tripled our rewards to industry leading values. We also celebrated some of the amazing hacker community results with top-up bonuses, where we retroactively issued additional rewards for particularly unusual, clever, or high-impact findings.
This post, however, is not about bug bounty programs. While a well-run bug bounty program is mandatory for maintaining top-tier security posture, this post is about the foundation on which bug bounty programs are built: the Vulnerability Disclosure Policy (VDP).
We first launched our bug bounty program in 2014, with initial bounties for critical bugs in the range of $5,000, ramping up to (currently) over $10,000 for critical bugs. Over the past three years, leading security researchers from around the world have participated in our programs with some amazing, often original research. Beyond just the individual bugs, we have learned many a lesson, uncovering unique, interesting threats, exploit vectors, and new research as well as rejigged our priorities based on the bug bounty reports. From Dropbox and all our users, a big THANK YOU to all the researchers that help secure Dropbox for our users!
Dropbox is recognizing security researchers for submitting security bugs through a bug bounty program with HackerOne and Bugcrowd. Whether you’re a security bug guru or a complete newbie, we want to make it as easy as possible to submit any bugs you find!
To this end, we’ve compiled the top 5 security bug report tips from our very own Security Engineers:
- Build a stronger report by including information on the actual and potential impact of the vulnerability, as well as details of how it could be exploited.
- Include the methodology you used to find the bug,
Protecting the privacy and security of our users’ information is a top priority for us at Dropbox. In addition to hiring world class experts, we believe it’s important to get all the help we can from the security research community, too. That’s why we’re excited to announce that starting today, we’ll be recognizing security researchers for their effort through a bug bounty program with HackerOne.
Bug bounties (or vulnerability rewards programs) are used by many leading companies to improve the security of their products. These programs provide an incentive for researchers to responsibly disclose software bugs,