14 DAY TRIAL // Dropbox decided to maximize the security of their services by accepting vulnerability submissions from a wider audience and paying at least a couple hundred dollars for the valid findings.
Dropbox was already managing vulnerability reports through the HackerOne coordination platform, but now it decided to include a monetary incentive.
Security research recognition published in hall of fame
The file synchronization service did not set a ceiling for the bounties, suggesting that it is willing to reward big money for highly severe security bugs.
The company already relies on professional help from penetration testing businesses, and it also carries out its own assessments.
However, the benefits of vulnerability reward programs are recognized by the industry as they incentivize independent researchers to find possible weaknesses and report them in a responsible manner.
Independent contributions to remove security glitches in Dropbox services have always been accepted by the company, who created a hall of fame as a “thank you” to the researchers.
Reward program debuts with older bug submissions
With the initiation of the reward program, these researchers will now benefit from more than just public recognition as the company decided to reward them retroactively for their effort. On Wednesday, Devdatta Akhawe from Dropbox said that $10,475 / €9,762 had already been paid.
He also added that the maximum bounty paid was $4,913 / €4,580 and a check of at least $216 / €200 would be offered for any valid bug submission. In case of duplicate reports, only the first one is entitled to the reward.
“Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report,” the program’s description on HackerOne reads.
The products eligible for the bug bounty program are Dropbox and Carousel mobile and web apps, the Dropbox desktop client and the Dropbox Core SDK.