The new bug bounty program augments Dropbox’s existing in-house operation.
The scrutiny centers on Dropbox, Carousel and Mailbox for iOS and Android apps. It also covers the Dropbox and Carousel Web apps; the Dropbox desktop app and the Dropbox Core SDK. The company says it is also open to rewards for “novel or particularly interesting bugs” in other Dropbox applications.
The minimum bounty for qualifying bugs is $216 and the maximum bounty already paid is $4,913, but the company says there is no official maximum.
Dropbox says it is retroactively rewarding researchers who have reported critical bugs within its existing program, and is paying out a total of $10,475 today.
If there are duplicate reports, the first one on record will be rewarded.
There’s nothing new about such Bug Bounty programs (aka vulnerability rewards), and many companies use them to improve security by opening up their apps to independent observers.
At this writing, Dropbox has acknowledged 25 bugs closed and 24 hackers thanked.
➤ Introducing our bug bounty program [Dropbox]