Until today, Dropbox merely recognized security researchers who found serious security holes in its software on a public hall of fame page. Now, the company is starting to provide monetary rewards.
In fact, Dropbox has decided to retroactively reward hackers who responsibly reported critical bugs in its applications. More specifically, the company is paying out $10,475 to 24 security researchers today (the largest payout was $4,913).
The bug bounty program’s scope includes: Dropbox, Carousel, Mailbox for Android and iOS, the Dropbox and Carousel web applications, the Dropbox desktop client, and the Dropbox Core SDK. The company does hint, however, that this list may expand in the future and that it “may also reward for novel or particularly interesting bugs in other Dropbox applications.”
Dropbox’s program requires that security researchers do the following:
- Share the security issue with Dropbox in detail.
- Give Dropbox a reasonable time to respond to the issue before making any information about it public.
- Not access or modify user data without permission of the account owner.
- Act in good faith not to degrade the performance of Dropbox’s services (including denial of service).
This is pretty standard stuff for bug bounty programs. Other typical conditions also apply: Only the first reporter of a vulnerability is rewarded, you must report a qualifying vulnerability through the HackerOne reporting tool to be eligible, and public disclosure of the vulnerability prior to resolution will result in disqualification from the program.
Bug bounty programs are used by much larger tech companies, including Facebook, Google, and Microsoft, with great results. While Dropbox may not have their size and scope, its program is beneficial all the same: It’s always better to find and fix a bug before it becomes a problem, especially when it comes to security. Rewarding security researchers with bounties costs peanuts compared to the cost of paying for a serious security snafu.