Dropbox launches bug bounty, will also pay for previously reported bugs

Dropbox is the latest company to officially announce a bug bounty program set up through the HackerOne platform.

While the program has been up and running for several months now, the company has decided that aside from recognizing the researchers who reported vulnerabilities on a hall of fame page, they will also provide monetary rewards.

Another good news is that the company will retroactively reward researchers who’ve already reported critical bugs through the program. The total amount of these rewards is $10475.

The minimum reward is $216, and there is no maximum reward. So far, the largest amount a researcher received for a bug report is $4,913.

“While we work with professional firms for pentesting engagements and do our own testing in-house, the independent scrutiny of our applications has been an invaluable resource for our team — allowing our team to tap into the expertise of the broader security community,” Devdatta Akhawe, a security engineer at Dropbox, noted in a post.

The company is looking for reports on vulnerabilities in the Dropbox, Carousel, and Mailbox iOS and Android applications; the Dropbox and Carousel web applications; the Dropbox desktop client and the Dropbox Core SDK.

“Vulnerabilities reported on other applications are generally not eligible for monetary rewards. However, they are still eligible for our Special Thanks page, and we can, at our discretion, award bounties for particularly novel or severe vulnerabilities in other Dropbox applications,” the company pointed out on the program page, which also holds a considerable list of issues that are outside the scope of the rewards program, as well as the rules researchers should abide to.