Feel a bit cheated that a billion dollar company couldn't take the time to respond... if I had the time I'd follow up with them.
Turns out there's a reason XSS is so often mentioned. Even Dropbox and Facebook fell prey to it (although in this case the input wasn't from the web, but rather from their desktop application/service partner).
That's the fundamental mistake. Don't escape input, escape output. If you're interpolating values into queries, that's an output that you need to escape for. If you're sending data to a browser, that's another output that you need to escape for (with different escaping rules).
It's easy to get wrong - especially when you look through the list of different subtle ways you could mis-escape something .
The only thing protecting the majority of sites is that exploiting them just isn't desirable.
print htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
Otherwise, yeah, someone will miss one instance and that's all it takes. One attack vector.
(i.e. you won't get that warm fuzzy feeling of doing the right thing with the blackhat market)
I got nothing. Maybe next time I'll just post this stuff for random people on twitter to find
Why even bother to tell them then?
There's very curious mating rituals for selling security consulting. Ask Thomas for the specifics -- he's far better versed in them than I am. Suffice it to say that "I owned X -- here's proof" is very much not of zero value while you're doing that dance.
Of course, it's hard to think of what else you might do with a Dropbox web finding. I sort of doubt there's a liquid market in Dropbox vulnerabilities. For one thing, vulnerabilities that do have markets tend to have patch lifecycles longer than "instantaneously fixed as soon as target finds out about vulnerability".
You can also choose to publish on your own website. This buys you not a whole lot more than just informing Dropbox, except to signal to the professional market that you will go out of your way not to help people like Dropbox when you find a bug.
Nobody in the whole wide world is obligated to do free research for Dropbox. That's not what pages like these are meant to imply.
Believe it or not. There is also the aspect of civil courage, one willing to protect the others from potential harm. Detectify was born out of the frustration that an overwhelming part of the internet is completely unsecure for users. Usually completely unaware users.
Analogy: It's like you walking by a leaning scaffold with people passing under it. You realize that the scaffold is just a hair's breadth from rambling down, potentially harming a bunch of people. Bounty or not, you report to the authorities or the hard hats. Don't you?
Co-founder @ detectify.com
Happy to be making a buck while hopefully making the interwebz a safer place ;)
(This is quite clear from http://www.facebook.com/whitehat/bounty/.)