BugHunters — Bug Bounty Platform
    Back to Programs
    Dropbox

    Dropbox

    Cloud/SaaS

    Cloud storage and file synchronization service used by over 700 million users for personal and business file management.

    https://dropbox.com

    Max Reward

    $32,768

    Total Paid

    $1,900,000

    Resolved

    267

    Avg Response

    3 days

    In-Scope Assets

    dropbox.com

    Web app, file sharing, and team management

    Dropbox API

    File operations and authentication APIs

    Dropbox Desktop

    Sync client and Smart Sync

    Dropbox Paper

    Collaborative document editor

    Out of Scope

    • DocSend (separate program)
    • HelloSign (separate program)
    • Marketing pages

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (1)

    IDTitleSeverityStatusRewardSubmissions
    DBX-001File access bypass via shared link token prediction
    High
    Open
    		$5,000–$15,0001

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.