Dropbox launches cash for bugs program, offers long list of bugs that don't qualify

Cloud file storage firm Dropbox will begin paying security researchers for finding bugs in its software, but instead of saying which bugs do qualify for payment it's laid out a long list of bugs that don't.

Dropbox has announced a new cash for bugs program, which it’s operating on third-party bug reporting platform HackerOne. Prior to the new cash program, Dropbox, like others on HackerOne such as Adobe, only offered recognition to researchers who found and reported security bugs.

Depending on the severity of the bug, Dropbox is offering payments of between $216 and says the maximum bounty it has paid out so far is $4,913 — one of the retroactive payments it made today totalling $10,475.

Products in scope for the bounty include Dropbox, Carousel, its Mailbox iOS and Android apps, its Dropbox and Carousel web applications, as well as the Dropbox desktop client, and the Dropbox Core SDK.

Devdatta Akhawe, a security engineer at Dropbox, said the bounty program was one way it aims keep its 300 million users secure, alongside in-house testing and engaging third-party pen-testers to secure its products.

“These programs provide an incentive for researchers to responsibly disclose software bugs, centralize reporting streams, and ultimately allow security teams to leverage the external community to help keep users safe,” Akhawe noted.

The company also receives independent security bug reports from third party firms, as it did this March from researchers at IBM who discovered its Android SDK could have opened non-Dropbox apps to attackers. By exploiting the bug, an attacker could link their Dropbox account to a vulnerable third-party app on a victim’s device. IBM commended Dropbox for releasing a patch within four days of receiving its report.

But Dropbox’s move to cash payouts could introduce “noise” — or an abundance of trivial bugs report that waste its staff's time. As Bugcrowd CEO Casey Ellis told CSO Australia recently, trivial bug reports may ultimately fatigue the internal responding team.

It seems Dropbox is attempting to address this with its approach to defining which bugs qualify for a bounty. Unlike Google’s bug bounty programs, which list several qualifying bugs, Dropbox says that payment requires a “qualifying vulnerability” but defines this through a lengthly list of bugs that don’t qualify. Among 25 unwelcome bugs include attacks requiring physical access to a user’s device, and common web application flaws such as cross-site scripting flaws on any site other than *.dropbox.com.

At the other extreme, as HackerOne highlighted this week, software companies that want to protect users from attackers need to negotiate a strange economy for zero-day vulnerabilities, where ceiling prices for new flaws — mostly in widely-used software — are set by governments or government-backed groups.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags dropboxIBMCarouselDevdatta AkhaweIT SecurityHackerOneCSO AustraliaMailbox iOSIT updatesCloud file storageadobevulnerabilitysoftwaresecurity researchers

More about CSODropboxEnex TestLabGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts