Introducing the Dropbox bug bounty program
Protecting the privacy and security of our users’ information is a top priority for us at Dropbox. In addition to hiring world class experts, we believe it’s important to get all the help we can from the security research community, too. That’s why we’re excited to announce that starting today, we’ll be recognizing security researchers for their effort through a bug bounty program with HackerOne.
Bug bounties (or vulnerability rewards programs) are used by many leading companies to improve the security of their products. These programs provide an incentive for researchers to responsibly disclose software bugs, centralize reporting streams, and ultimately allow security teams to leverage the external community to help keep users safe (something I’ve advocated for in previous research).
While we work with professional firms for pentesting engagements and do our own testing in-house, the independent scrutiny of our applications has been an invaluable resource for our team — allowing our team to tap into the expertise of the broader security community. We’ve recognized the contributions of the researchers we’ve worked with in a public hall of fame, and now we’re very excited to be one of several companies that provide monetary rewards, too. In fact, we’ll be retroactively rewarding researchers who’ve reported critical bugs in our applications through our existing program, paying out $10475 today.
Here are some additional details about the program: