- Dropbox’s latest HackerOne round brings in 264 new vulnerabilities and takes out $320k in rewards.
- The company is taking bug bounty programs seriously, as security and safety are at their core.
- Hackers claim all systems have vulnerabilities, and the most mature ones just need more time.
In the context of a single-day bug hunt organized by HackerOne and Dropbox Inc. in Singapore, 45 hackers from around the globe have managed to discover 264 vulnerabilities in the popular cloud file-hosting and online backup service. The total payout of $319300 is indicative of the extent of the discoveries, which will help secure the hundreds of millions of Dropbox users and plug the most outright overt security holes of the recently acquired “HelloSign” document workflow and e-signatures startup. This was only part of Dropbox’s regular bug bounty program, an initiative that the company maintains and sincerely believes in.
ZDNet has focused on one of the youngest hackers of the particular event, Jack Cable. At 19 right now, he has been hunting bugs for HackerOne since he was 16, having taken part in over 100 events and identifying 250 vulnerabilities. Cable says it all depends on the maturity of the systems that are targeted, and regardless of the securing efforts, there are always vulnerabilities. As he characteristically said: “If you look at it long enough, you’re going to find them. What matters more is how companies respond to the flaws they find.”
Dropbox approaches bug bounty programs with responsibility, so their systems are mature (running a HackerOne program since 2015), and finding flaws in them take more effort. Right now, the rewards list is set as follows:
- Remote code execution (RCE) on servers – $32768
- Significant authentication bypass – $17576
- Trivial remote code execution in Dropbox app (all platforms) – $15625
- Cross-site request forgery on critical actions – $13824
- Cross-site scripting on dropbox.com working on all browsers – $12167
- A minimum reward – $216
HackerOne, the platform that has changed the field of bug bounty programs since 2012 has helped make the internet a safer place by discovering security flaws in the tools that we use. Counting more than 390000 registered hackers, and having organized more than 1300 bug bounty programs, their payouts are just shy of $50 million right now. In case that you missed it last week, we had an insightful interview with Lauren Koszarek of HackerOne, where she explained the incentives that gave them growth, the motivation for white hacking, and shared her thoughts for the future.
Are you one of the million Dropbox users? Do you trust the platform with critical files? Let us know in the comments section beneath, and don’t forget to check more news and posts on our socials, on Facebook and Twitter.