Dropbox launches HackerOne bug bounty program

Researchers who report vulnerabilities in Dropbox software can expect a cash reward.
Written by Charlie Osborne, Contributing Writer on

Dropbox has launched a bug bounty program on HackerOne, joining a multitude of other companies seeking outside help to keep their software as secure as possible.

While internal security teams and the Security Development Lifecycle often irons out many security issues before a service or software is released to the public, undiscovered security issues remain a headache for developers. Companies can develop and patch security problems as they come to light, but it is more worthwhile for companies to entice white-hat hackers to report bugs and security vulnerabilities before they become public knowledge or end up on the black market for sale.

Bug bounties are a key way for security vulnerabilities to be discovered, and financial incentives are becoming a critical part of the process -- especially as cybersecurity experts are few and far between, and these skills are now hot property in the technology realm.

See also: What drives the zero-day market?

In a blog post announcing the program, Devdatta Akhawe from the cloud storage firm said the Dropbox, Carousel, and Mailbox iOS and Android applications are eligible for inclusion in the bug bounty program, as well as the Dropbox and Carousel web applications, the Dropbox desktop client and the Dropbox Core SDK. In addition, the company will consider rewarding researchers who submit "novel or particularly interesting" bugs related to other Dropbox applications.

The company does not offer an official bounty rate or limit; instead, Dropbox rewards researchers based on the severity of the flaw. The company -- which is also rewarding bug finders who submitted flaws before the scheme began -- has paid out rewards ranging from $216 to $4913 so far. In addition, researchers who submit accepted flaws are placed in a public Hall of Fame.

"While we work with professional firms for pentesting engagements and do our own testing in-house, the independent scrutiny of our applications has been an invaluable resource for our team -- allowing our team to tap into the expertise of the broader security community," Akhawe says.

"In fact, we'll be retroactively rewarding researchers who've reported critical bugs in our applications through our existing program, paying out $10475 today."

Dropbox asks researchers to share submitted security problems in detail, give the company a "reasonable" time to respond to the issue before public disclosure, to not access or modify user data without permission and to generally act in good faith.

So far, 27 bugs have been reported, fixed and closed. However, a number of issues are outside of the program, such as flaws requiring physical access to a user device, vulnerabilities affecting outdated systems and problems caused through root devices.

Akhawe commented:

"This is another step in our commitment to security and privacy, which has already been reflected in the recognition and ranking by external organizations like EFF and SSLLabs, as well as our participation and support of organizations like SimplySecure. We look forward to working with security researchers and awarding them for their contributions to the security of all Dropbox users."

Dropbox is far from the only technology firm using public bug bounty programs to increase the security of their products and services. Recently, Adobe announced a vulnerability disclosure program also hosted on HackerOne, however, hackers expecting a financial reward will be disappointed.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards