Dropbox Joins Bug Bounty Programs
With security experts predicting that cyber attacks will not only continue, but escalate, more companies are turning to bug bounty programs to supplement their in-house security initiatives. The latest company to crowdsource their security, Dropbox announced their new bug bounty program administered by HackerOne.
Here are some details about the program from the announcement:
The minimum bounty for qualifying bugs is $216. At this time, there’s no official maximum bounty but so far the highest bounty paid out is $4,913. In case of duplicates, the first report will be incentivized. Current applications eligible for the bounty program include the Dropbox, Carousel, and Mailbox iOS and Android applications; the Dropbox and Carousel web applications; the Dropbox desktop client as well as the Dropbox Core SDK. Unusual bugs in other Dropbox applications may be eligible for rewards as well.
More details about the rewards program and where to report a potential bug are found on the Dropbox HackerOne page.
San Francisco-based HackerOne is one of several companies that coordinate bug reports from outside security researchers/hackers to organizations. Other companies with programs hosted by HackerOne include Twitter, Yahoo!, Snapchat, Adobe, Robocoin, Vimeo, Square, Urban Dictionary, Khan Academy, OkCupid, Flash, Ruby on Rails, Python, Perl, and others.
Other startup sites that allow companies of all sizes to report bugs are Crowdcurity, Bugcrowd, and Synack, according to The Verge.
In other security program news, Google announced for 2015 that the Google “Pwnium” bug bounty program is now year-round and offers “infinity” million dollars in rewards. Before, Pwnium was a one-day competition held at a security conference. According to Google, rewards of $30,000 and higher have been already paid.
Who is a typical participant in these bug bounty programs? In an article that examines the growth of the bug bounty business is booming, The Verge reports that the researchers contacted said they pursued this work part-time. "Bug bounty like online poker I think [sic]," wrote a Russian hacker, Andrew. "You may be in luck and got a big prize [but] may be not in luck and during long time nothing to find [sic]."
