Dropbox Company reportedthat payments to researchers for the vulnerabilities found have exceeded the million dollar mark.
Dropbox established its own vulnerability search program in 2014, and in April 2015, it opened a bug-based program on the platform for everyone Hackerone. Thus, it is now possible to search for vulnerabilities on the company's main sites, in the Paper service, as well as desktop and mobile applications.
The rewards for information security professionals range from 216 to 32,000 US dollars, and the maximum reward can be obtained for critical vulnerabilities that allow remote code execution and affect Dropbox servers.
To date, the company has paid researchers over US $ 1 million, including more than US $ 318,000 through the HackerOne platform (for detecting nearly 300 vulnerabilities) and more than US $ 330,000 through full-time hack eventheld in Singapore last year.
In addition to simple statistics, Dropbox also shared a list of the most interesting error reports, which included vulnerabilities that could be used to access password-protected documents, gain access to Paper documents, access Dropbox internal services via SSRF, steal file contents and perform ImageTragick attacks .