Dropbox has become the latest high-profile Internet firm to start a bug bounty program, hooking up with HackerOne to provide rewards to security researchers who report vulnerabilities through the program.
The new reward system from Dropbox covers a variety of the company’s offerings, including the Dropbox and Carousel iOS and Android applications; the Dropbox and Carousel web applications; the Dropbox desktop client and the Dropbox Core SDK. The company even is taking the unusual step of rewarding researchers who reported critical vulnerabilities before the bounty program started.
“While we work with professional firms for pentesting engagements and do our own testing in-house, the independent scrutiny of our applications has been an invaluable resource for our team — allowing our team to tap into the expertise of the broader security community,” Devdatta Akhawe of Dropbox said in a post announcing the program.
“We’ve recognized the contributions of the researchers we’ve worked with in a public hall of fame, and now we’re very excited to be one of several companies that provide monetary rewards, too. In fact, we’ll be retroactively rewarding researchers who’ve reported critical bugs in our applications through our existing program, paying out $10475 today.”
The minimum bounty for Dropbox’s reward program is $216 and the company hasn’t set a maximum.
HackerOne, along with Bugcrowd, has become one of the key platforms for companies looking to establish vulnerability reward programs. There are a number of high-profile software and Web companies that have set up bounty programs in recent months, with Adobe being the biggest name to join HackerOne lately.
The list of issues that are not in scope for the Dropbox reward program is long, and includes things such as password, email and account policies, many XSS bugs and attacks that need physical access.