Joining a host of other high-profile companies, Dropbox has just announced a new bug bounty partnership with reporting platform HackerOne. Security researchers can sniff out bugs and bring them to light before they’re maliciously exploited, and while other find-and-report schemes typically have a maximum payout, the Dropbox bounty offers a ground floor of $216. Are there big bucks here for bug trackers?
According to Kaspersky Lab, the new Dropbox program covers more than just Dropbox Core SDK. Bounties are also paid out on the Dropbox and Carousel iOS, Android and Web apps, in addition to the desktop client. There are some bugs outside the purview of the rewards program, such as those related to password, email or account policies, as well as to cross-site scripting bugs or those that require physical access to execute.
Still, there is massive potential payoff here for dedicated bug finders. The official Dropbox blog notes it has paid out $10,475 in a single day and almost $5,000 for a single bounty. Standard rules apply: Whoever reports the bug first gets the money, and public disclosure before the Dropbox team has time to address the issue results in disqualification. Also of note is that the company is paying contributors who identified bugs before the Dropbox bounty program started.
As noted in a new research paper from HackerOne, bug bounty programs do not have an effect on the zero-day market, helping to spur a race between malicious actors and defensive researchers for vulnerabilities. While companies can’t provide the same kind of six-figure payouts offered by attackers, some monetary incentive can help “maximize the discovery correlation and dry up the offensive stockpile,” according to Dr. Michael Siegel of the Massachusetts Institute of Technology. This is the beauty of bounty programs: Many hands make light work, and when combined with automated tools, it is possible for companies to leverage smaller payouts and still defend their software.
For Dropbox, this is key since more attacks target the company’s offerings as it gains ground. For example, the IBM X-Force Application Security Research Team recently found a flaw in Dropbox SDK for Android (CVE-2014-8889) that let attackers connect mobile apps to users’ Dropbox accounts without their permission or knowledge. Additionally, in October 2014, hundreds of Dropbox passwords were made public, and while the company says it wasn’t hacked, it has clearly become a target regardless of the point of origin.
Using a bounty program makes sense. It is now common industry practice and pushes the good guys to find and report bugs as quickly as possible. By skipping the ceiling for payouts and offering rewards for “particularly interesting bugs in other Dropbox applications” not on the approved short list, the storage company is hoping to tap full-bore effort without paying for any more full-time equivalents. In other words, paying up front may well prove more cost-effective than hiring more staff and should help keep Dropbox out of the firing line when it comes to new zero-day attacks.