Dropbox has formalised its bug bounty initiative, rewarding those who find security holes in the cloud storage service.
The company will use HackerOne's bug reporting interface, rewarding people who find bugs with a minimum of $216 (144). There's no upper limit to bounties, although to date, the largest payment Dropbox has made is $4913 (3282).
If multiple people report the same vulnerability, the first who discovered it would be rewarded. All Dropbox products, including the iOS and Android apps, desktop client and core SDK are eligible for rewards.
Dropbox security engineer Devdatta Akhawe said in a blog post: "While we work with professional firms for pentesting engagements and do our own testing in-house, the independent scrutiny of our applications has been an invaluable resource for our team allowing our team to tap into the expertise of the broader security community."
Dropbox had already collated a hall of fame for those researchers that have uncovered flaws , but taking cues from the likes of Google, Microsoft and Yahoo, the storage service decided to take this one step further, offering money as rewards rather than just the prestige of being listed as a bug-finder.
"Protecting the privacy and security of our users' information is a top priority for us at Dropbox. In addition to hiring world class experts, we believe it's important to get all the help we can from the security research community, too," Akhawe said.
Dropbox has recently stepped up its game when it comes to security after enterprises deemed it unfit for business use last year. Last October, hundreds of its customers' usernames and passwords were leaked, although the company was quick to say it wasn't a hack.
