Dropbox recently introduced a bug bounty program and is now one among the high-profile businesses to reward security researchers. For this, Dropbox has tied up with HackerOne to reward the security experts and get their vulnerabilities reports.
Dropbox’s new reward system covers a variety of the firm’s offerings, including the Dropbox and Carousel iOS and Android apps; the Dropbox and Carousel web applications; Dropbox desktop client and Dropbox Core SDK. It is also taking an unusual step of giving rewards to researchers who reported critical vulnerabilities way before the bounty program was launched.
Devdatta Akhawe of Dropbox said in a blog post that the company, while working with professional firms for “pentesting engagements” and perform its own in-house testing, “the independent scrutiny of the applications is an invaluable resource for our team” since it allowed them to work on a broader security issue.
The company said that it has recognized contributions of researchers by inducting them “in a public hall of fame.” “We are excited to be one of the companies that give monetary rewards, too,” Devdatta Akhawe added. In fact, Dropbox is retroactively rewarding researchers who have reported critical bugs in the company’s applications by giving away $10,475.
As of April, the minimum bounty for Dropbox’s reward scheme is $216 and so far the company is yet to set a maximum.
HackerOne and Bugcrowd are the key platforms for businesses that are looking for establishing vulnerability reward programs. There are also a number of high-profile software and web firms that introduced bounty programs in recent months. Now, Adobe is one of the biggest names to have joined HackerOne.
It is also good to point out that the list of issues that are not in scope for the Dropbox reward system is pretty long, and it will include things like password, email and account policies, many XSS bugs and attacks that require physical access.