

Introducing the Dropbox bug bounty program - antoncohen
https://blogs.dropbox.com/tech/2015/04/introducing-our-bug-bounty-program/

======
Stefan-H
Bug bounty programs seem to be more and more necessary for a mature security
program. I feel like this can span the gamut from resources for responsible
disclosure all the way to robust bug bounty programs that offer pay outs. The
barrier to entry for the former should be low and something that every
organization with security personnel can arguably support, but once you start
doing pay outs, the need to run a tight ship in regards to how bugs are
evaluated becomes far greater.

~~~
Someone1234
Yeah, it seems like a welcome evolution.

Back in the old days far too many companies had very poor processes for
dealing with security issues. Either it was impossible to give the report
(stuck in CS hell), you'd never hear feedback (e.g. fixed, WONTFIX, etc), you
may be threatened with criminal/civil prosecution, and you most certainly
wouldn't be credited or acknowledged.

Now, if nothing else, at least the process is well documented end-to-end. Even
if we ignore the "debate" over compensation, at least all the other problems
are now solved. If you throw on top of that a small "thanks" payment for
finding the bug, you now not only solve the old problems but you give people a
legitimate reason for responsible disclosure beyond morals.

That's really the core of this, doing the right thing should make rational
sense as well as moral sense. Then the bug finder has no real reason to do
anything except the right thing. The only reason not to disclose responsibly
now is spite (or in Google's case a strict adherence to policy no matter how
little sense it makes).

~~~
nulltype
Unless someone makes a bug bounty program for Dropbox bugs that offers more
than Dropbox does. I don't know what the fair market rate for these bugs are,
but it could well be higher than what Dropbox is offering.

------
neonbat
Is there a list somewhere of problems/bugs that have been discovered with
dropbox?

~~~
denwer
Regarding the HackerOne program you can have a look at the bottom of this
page: [https://hackerone.com/dropbox](https://hackerone.com/dropbox) and have
a look for bug-report titles. These are the reports that were publicly
disclosed and valid reports (won't-fixes are not in that list).

Or you might go for a search for "dropbox" here (that comes in handy if there
are a lot of reports): [http://h1.nobbd.de](http://h1.nobbd.de)

------
AwesomeTogether
$216 for pointing out a bug in software of a multi billion dollar (valuation)
software company?yeah, I'll get right on that

------
akshayaurora
Why now?

------
nvk
Looking forward to the day you offer a feature most call "Privacy". Client
side encryption anytime soon?

