Dropbox To Pay ‘Bug Bounties’ to Security Experts to Find Vulnerabilities
There was a time when companies bristled when third parties pointed out security flaws their own internal experts didn’t catch. Not so anymore, as Dropbox has joined big names including Google (GOOG), Facebook (FB) and Yahoo (YHOO) in paying independent security researchers to find vulnerabilities in their applications.
There was a time when companies bristled when third parties pointed out security flaws their own internal experts didn’t catch. Not so anymore, as Dropbox has joined big names including Google (GOOG), Facebook (FB) and Yahoo (YHOO) in paying independent security researchers to find vulnerabilities in their applications.
The popular online storage service has launched a bug bounty program with service provider HackerOne that will pay external experts to find issues with the company’s applications, Dropbox security engineer Devdatta Akhawe revealed in a blog post.
“Protecting the privacy and security of our users’ information is a top priority for us at Dropbox,” he wrote. “In addition to hiring world-class experts, we believe it’s important to get all the help we can from the security research community, too.”
As Akhawe explained in the post, so-called bug bounties—more formally known as vulnerability rewards programs—are increasingly being used to improve the security of products. Indeed, payments to third parties who bring a different perspective to security than internal experts are becoming a new business model for companies to make their applications more secure.
HackerOne is a security response and bug bounty platform and service. Yahoo, Twitter, AirBnB and Adobe are among companies that also use the platform.
Dropbox previously had recognized independent researchers who located flaws in their applications, but didn’t pay them for their work. The Dropbox HackerOne program not only will make payouts for newly recognized vulnerabilities, but also retroactively has rewarded researchers who’ve reported critical bugs in the past through the program, paying out $10,475 at its launch to these experts, Akhawe said.
The bounties initially will be paid for vulnerabilities found in the Dropbox and Carousel iOS and Android applications; the Dropbox and Carousel web applications; the Dropbox desktop client as well as the Dropbox Core SDK.
Anyone pointing out vulnerabilities for other applications won’t receive monetary awards, but they will get a shout-out for their efforts on a Dropbox “Special Thanks” page. And if the bug is big and bad enough, the company can at its discretion reward them a bounty, according to the HackerOne web page for the Dropbox program.
The program’s minimum bounty is $216 but there is no maximum bounty. Payment depends on how critical the bug is, Akhawe wrote.
“This is another step in our commitment to security and privacy, which has already been reflected in the recognition and ranking by external organizations like EFF and SSLLabs, as well as our participation and support of organizations like SimplySecure,” he wrote. “We look forward to working with security researchers and awarding them for their contributions to the security of all Dropbox users.”
