Dropbox launches cash for bugs program, offers long list of bugs that don't qualify

  • Liam Tung (CSO Online)
  • 16 April, 2015 09:43

Cloud file storage firm Dropbox will begin paying security researchers for finding bugs in its software, but instead of saying which bugs do qualify for payment it's laid out a long list of bugs that don't.

Dropbox has announced a new cash for bugs program, which it’s operating on third-party bug reporting platform HackerOne. Prior to the new cash program, Dropbox, like others on HackerOne such as Adobe, only offered recognition to researchers who found and reported security bugs.

Depending on the severity of the bug, Dropbox is offering payments of between $216 and says the maximum bounty it has paid out so far is $4,913 — one of the retroactive payments it made today totalling $10,475.

Products in scope for the bounty include Dropbox, Carousel, its Mailbox iOS and Android apps, its Dropbox and Carousel web applications, as well as the Dropbox desktop client, and the Dropbox Core SDK.

Devdatta Akhawe, a security engineer at Dropbox, said the bounty program was one way it aims keep its 300 million users secure, alongside in-house testing and engaging third-party pen-testers to secure its products.

“These programs provide an incentive for researchers to responsibly disclose software bugs, centralize reporting streams, and ultimately allow security teams to leverage the external community to help keep users safe,” Akhawe noted.

The company also receives independent security bug reports from third party firms, as it did this March from researchers at IBM who discovered its Android SDK could have opened non-Dropbox apps to attackers. By exploiting the bug, an attacker could link their Dropbox account to a vulnerable third-party app on a victim’s device. IBM commended Dropbox for releasing a patch within four days of receiving its report.

But Dropbox’s move to cash payouts could introduce “noise” — or an abundance of trivial bugs report that waste its staff's time. As Bugcrowd CEO Casey Ellis told CSO Australia recently, trivial bug reports may ultimately fatigue the internal responding team.

It seems Dropbox is attempting to address this with its approach to defining which bugs qualify for a bounty. Unlike Google’s bug bounty programs, which list several qualifying bugs, Dropbox says that payment requires a “qualifying vulnerability” but defines this through a lengthly list of bugs that don’t qualify. Among 25 unwelcome bugs include attacks requiring physical access to a user’s device, and common web application flaws such as cross-site scripting flaws on any site other than *

At the other extreme, as HackerOne highlighted this week, software companies that want to protect users from attackers need to negotiate a strange economy for zero-day vulnerabilities, where ceiling prices for new flaws — mostly in widely-used software — are set by governments or government-backed groups.

This article is brought to you by Enex TestLab, content directors for CSO Australia.