Dropbox launches 'limitless' bug bounty
Back pay on its way
Dropbox has launched a no-limit bug bounty program, back-paying US$14,875 so far for previously and newly-reported vulnerabilities.
The HackerOne bounty, which supplements the company's external penetration testing efforts, is unusual in offering back payment for critical vulnerabilities that white hat hackers had already reported without expecting reward.
There are no limits on the potential cash rewards for critical vulnerabilities although the highest Dropbox has paid is $4913.
Hackers will receive $216 in beer money for reporting small vulnerabilities.
"For now, the Dropbox, Carousel, and Mailbox iOS and Android applications; the Dropbox and Carousel web applications; the Dropbox desktop client as well as the Dropbox Core SDK are eligible for the bounty program," the company says.
"We may also reward for novel or particularly interesting bugs in other Dropbox applications."
So far 27 bugs have been stomped.
Dropbox excludes a long list of vulnerabilities including cross-site scripting against dropboxusercontent.com, the forums , or non Dropbox domains; attacks that require physical device access, and login log-out cross-site request forgery.
Hackers who disclose vulnerabilities before Dropbox is informed and given time to patch won't receive a cent. ®