Keeping user information safe and secure is a top priority and a core company value for us at Dropbox. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Dropbox users.

Rewards

Dropbox provides rewards to vulnerability reporters at its discretion. Our minimum reward is $216 USD. There is no maximum reward. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report. Keep in mind that this is not a contest or competition. Here are usual minimum rewards for critical vulnerabilities affecting the core Dropbox application and Dropbox Paper web application and server, but not HelloSign.

| Vulnerability|Reward|

|----------|-------------|

| Remote Code Execution on servers | $32,768 |

| Significant Authentication Bypass | $17,576 |

| Trivial Remote Code Execution in Dropbox app (Android, iOS, Client) | $15,625|

| Cross Site Request Forgery on critical actions| $13,824|

| Cross site scripting on www.dropbox.com working on all browsers | $12,167 |

These values are indicative and we reserve the right to determine amount or even whether a reward should be granted. We typically reward lower amounts for vulnerabilities that require significant user interaction. We also might pay higher rewards for clever or severe vulnerabilities. We also pay extra bonus bounties for interesting/valuable research and we match donations to charity when done through HackerOne.

Applications in Scope

For now, the Dropbox iOS and Android applications; the Dropbox web application; the Dropbox desktop client as well as the Dropbox Core SDK are eligible for the bounty program. Bugs in Dropbox Paper are also eligible.

Dropbox Passwords is in scope: the Android app, the iOS app, and the browser extensions.

Acquisitions are typically not in the scope of this program, unless listed below. We may still reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.

HelloSign has been acquired by Dropbox and is now in scope for this program. Please refer to the HelloSign section below for more details.

Eligibility and Responsible Disclosure

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

• Share the security issue with us in detail;

• Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners will not result in any bounty or award since those are explicitly out of scope;

• Give us a reasonable time to respond to the issue before making any information about it public;

• Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;

• Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Dropbox;

• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service); and

• Otherwise comply with all applicable laws.

We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Out-of-scope Vulnerabilities

The following issues are outside the scope of our rewards program:

• Our policies on presence/absence of SPF/DMARC records.

• Password, email and account policies, such as email id verification, reset link expiration, password complexity.

• Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).

• Login/logout CSRF.

• Attacks requiring physical access to a user's device.

• Missing security headers which do not lead directly to a vulnerability.

• Missing best practices (we require evidence of a security vulnerability).

• Hosting malware/arbitrary content on Dropbox and causing downloads.

• XSS on dropboxusercontent.com is out of scope.

• Self-XSS (we require evidence on how the XSS can be used to attack another Dropbox user).

• XSS on any site other than the following:

  • www.dropbox.com

  • paper.dropbox.com

  • showcase.dropbox.com

• We will accept reports of XSS on other dropbox.com subdomains but will not reward for them.

• Host header injections unless you can show how they can lead to stealing user data.

• Use of a known-vulnerable library (without evidence of exploitability).

• Issues relating to buggy non-Dropbox client software.

• Reports from automated tools or scans.

• Reports of spam (i.e., any report involving ability to send emails without rate limits).

• Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking).

• Vulnerabilities affecting users of outdated browsers or platforms.

• Social engineering of Dropbox employees or contractors.

• Any physical attempts against Dropbox property or data centers.

• Presence of autocomplete attribute on web forms.

• Missing cookie flags on non-sensitive cookies.

• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).

• Any report that discusses how you can learn whether a given username, email address has a Dropbox account.

• Any access to data where the targeted user needs to be operating a rooted mobile device.

• Any report on bypassing our storage limits etc. is out of scope.

• Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.

• Any report about how Dropbox can be used to serve malware (we have separate rate limits and malware detection systems for those that prevent attacks at scale).

• We will only accept critical reports in blogs.dropbox.com (e.g., RCE). Minor issues that can't impact Dropbox users are out of scope. Please report them to the Automattic Program.

• Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.

• Ability to share links without verifying email.

• Absence of rate limiting, unless related to authentication.

• Reflected File Download vulnerabilities or any vulnerabilities that let you start a download to the user's computer are out of scope.

• IP/Port Scanning via Dropbox services unless you are able to hit private IPs or Dropbox servers.

• Devices (ios, android, desktop apps) not getting unlinked on password change.

• Hyperlink injection or any link injection in emails we send.

• Creating multiple account using same email is also out of scope.

• Phishing risk via unicode/punycode or RTLO issues.

• Being able to upload files with wrong extension in chooser.

• Editable Github wikis.

Here's a note on best practices for submitting a report

Notes on SSRF Submissions

Before submitting an SSRF report, please ensure that the response you're receiving is neither:

• reset

• HTTP/1.1 403 Forbidden

Either of these responses usually indicates that your request was blocked by our Squid proxies and is not a valid SSRF.

Notes on Testing "Sign-in with Apple"

To test our Sign-in with Apple implementation, you will need an iOS device and enroll in our mobile application beta. Instructions on how to enroll in the beta can be found here.

HelloSign

HelloSign’s digital workflow platform – which includes eSignature, digital workflow, and electronic fax solutions — helps over 55,000 companies and millions of people do business faster. Our customers trust us with their most important documents, and it’s our responsibility to keep these documents private and secure. We adhere to industry-leading practices to manage our network, secure our web and client applications, and set policies across our organization. HelloSign takes security seriously and looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Assets in Scope

• app.hellosign.com

• api.hellosign.com

• portal.helloworks.com

• api.helloworks.com

• app.hellofax.com

• api.hellofax.com

• https://appexchange.salesforce.com/appxListingDetail?listingId=a0N3A00000EFmGIUA1

This is the HelloSign for Salesforce application. Visit the link above to download and install the application in a Salesforce Dev Org. Please follow this [document] (https://developer.salesforce.com/docs/atlas.en-us.externalidentityImplGuide.meta/externalidentityImplGuide/external_identity_create_developer_org.htm) to download and setup a Salesforce dev org.

Our mobile applications, our blogs (blog.hellosign.com and blog.hellofax.com), and any 3rd party hosted subdomain (such as status.hellosign.com and faq.hellosign.com) are not in scope.

We strongly discourage using any automated vulnerability scanner that generates large volume of requests. This might lead to blocking the original IP address and even potential disqualification from our program.

Bounty Structure

| Critical | High | Medium | Low |

| -------- | ------ | ------ | ---- |

| $12,167 | $4,913 | $1,728 | $216 |

Notes

HelloFax and HelloSign share a lot of the same software stack and source code. A report identifying an issue in one will be considered a duplicate if it has already been reported for the other.

In addition, to Out-of-scope Vulnerabilities mentioned above, we typically don’t accept limited paid features being available under free plan as a security issue in HelloSign, HelloFax and HelloWorks.

Thank you for helping keep HelloSign and our users safe!

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If your report addresses a vulnerability of a Dropbox business partner, Dropbox reserves the right to share your submission in its entirety, including your identity, with the business partner to help facilitate testing and resolution of the reported vulnerability. If legal action is initiated by a third party against you and you have complied with Dropbox’s bug bounty policy, Dropbox will take steps to make it known that your actions were conducted in compliance with this policy.

Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

The Fine Print

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Dropbox employees and their family members are not eligible for bounties.

Dropbox may choose to provide you with complimentary access to Dropbox products. This access is solely for the purposes of enabling your testing, and may be revoked at any time with or without advanced notice. If access is revoked, you may lose access to any materials saved in those products/accounts.

In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Dropbox reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.