• $100 – $10,000 per vulnerability
  • Partial safe harbor

Program stats

  • Vulnerabilities rewarded 88
  • Validation within 2 days 75% of submissions are accepted or rejected within 2 days
  • Average payout $1,048.07 within the last 3 months

Latest hall of famers

Recently joined this program

Keeping user information safe and secure is a top priority and a core company value for us at Dropbox. We welcome the contribution of external security researchers and look forward to awarding them for their valuable contributions to the security of all Dropbox users. Please make sure you review the following program rules before you report a vulnerability.


Dropbox may, at its sole discretion, provide rewards to eligible reporters of qualifying vulnerabilities.

Dropbox may choose to pay higher rewards for unusually clever or severe vulnerabilities. For vulnerabilities that require significant or unusual user interaction, the rewards may be lower. Adjustments for higher bounty awards will only be made if the severity of the issue is determined to be higher, not due to any past payout award levels.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.