ONLINE THUMBDRIVE, Dropbox has increased the amount of cash that it will lay down when someone tells it about a bug in its software, increasing the bounty to $32,768 as a way of saying thanks to spotters.
Nice people to do business with. The firm launched the bounty program in 2014, offering bounties of between $5,000 and $10,000. It said that the system has allowed it to be much more agile in dealing with issues and have helped it radically reduce fix turnaround times.
"Over the past three years, leading security researchers from around the world have participated in our programs with some amazing, often original research. Beyond just the individual bugs, we have learned many a lesson, uncovering unique, interesting threats, exploit vectors, and new research as well as rejigged our priorities based on the bug bounty reports. From Dropbox and all our users, a big THANK YOU to all the researchers that help secure Dropbox for our users!," wrote Dropbox security engineer Devdatta Akhawe.
"We know that researchers value quick response and rewards. We recently measured our response times since 2014 and learned that 75 per cent of our responses were within 2 days and 2 hours, with the quickest response being around 50 minutes. We have been working hard to improve our responsiveness and our reward latency even more. Over the last 12 months, we've drastically reduced our 75th percentile response time to under 16 hours of the report. For high-quality reports, we usually reward as soon as we reproduce the bug. In fact, we have sometimes paid out within minutes of receipt of a bug."
It is not all self-trumpet blowing, the firm also blogged about how much it appreciates the researchers and their "high-quality work". Some researchers have been invited to join a VIP program where reports about bugs are expected to be studied and resolved within nine hours.
"Dropbox users trust us with some of their most sensitive data, and we work ceaselessly to provide the best possible security for our users. Security researchers participating in our bug bounty program are a critical partner in this effort," it added.
"We are delighted to announce that we are more than tripling our bounties, with the reward for critical bugs — for example, bugs that could lead to remote code execution (RCE) on our servers — now topping out at $32,768 and bounties for RCE affecting our desktop/mobile clients at $18,564. To help kickstart this, we have also topped up any critical reports in the last 6 months with the equivalent increased bounty, paying out an additional bounty of over $28,000 for high/critical bugs reported this year." µ
Welcome to the dystopia Black Mirror warned us about
Microsoft in 'more helpful' shock
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers