Dropbox identifies 264 vulnerabilities in bug hunting in HackerOne Singapore


A one-day bug bounty program forks out $319,300 by a cloud storage vendor galvanizing 45 HackerOne members in Singapore. Two HackerOne members will discuss their approach and advise businesses to secure their systems. Dropbox has revealed 264 vulnerabilities and pay $319,300 in bounties after a day’s bug hunt in Singapore, which gathered hackers from 10 nations.

The live event, hosted by bug bounty HackerOne, was attended by 45 of its members from countries such as Japan, Inde, Australia, Hong Kong and Sweden and some as young as 19, in an attempt to infiltrate the targeted systems of Dropbox. The cloud storage provider had revealed parts of its “aggression” scope earlier, so members of HackerOne had already identified and submitted tens of potential bugs before the live event.

According to a company speaker, Dropbox and its recent digital workflow acquisition, HelloSign, were this time the focus. The Dropbox spokesperson stated that the firm already had a mature bug bounty programme, that it had established a “well-defined process” to review bugs reported by these initiatives as well as to determine their severity and necessary corrections. Since its founding in 2012, HackerOne has created more than 1,300 such programs and paid more than USD 49 million to its hackers.

“Like all of our bug bounty efforts, we hope to leverage the unique perspectives and efforts of the participants to help us continue to make our products secure,”. “While we already have one of the most permissive scopes in the industry, we’ve expanded it even further for the live-hacking event [in Singapore]. Dropbox strongly encourages all companies to invest in a bug bounty program and considers a well-run bug bounty program to be a sign of technical security maturity.”

More than 390,000 registered hackers are currently on your network. It has worked with clients like Defense Ministry, GovTech, and Grab in Singapore. HackerOne CEO Marten Mickos expressed the hope that by the end of 2020 he will hit US$ 100 million in payments when he wanted to have a community of one million ethical hackers on its platform. It expects to help its customers identify and fix over 200,000 vulnerabilities, including 16,000 critical bugs.

The company established its Singapore office just seven months ago, which was also its headquarters in Asia-Pacific and supported customers in, among others, China, Australia and Thailand. Asked how their services differed from those of security consulting firms, Mickos said third-party consulting firms still played a role if firms had a specific problem that they were looking for.

“Our community’s power is its diversity, our hackers come without prejudice, and only if they find something are they paid for, they’ll continue to look until they do it,” he said. Luke Tucker, HackerOne’s Senior Community and Content Director, said the business was working with customers to see how many hackers would be invited to participate in a live event and flown on the site.

Customers were also encouraged to join the bug hunt with their own security team. Tucker added that the customer would determine the amount of rewards he wanted to pay and that HackerOne would get a payment commission. To date, US$ 400,000 has been the highest ever paid in a one-day event, he said, adding that multi-day programs could see bounties exceeding US$ 500,000.

HackerOne customers also pay for access services such as their triage team, which is responsible for checking and validating bugs found during a program, he said. HackerOne would evaluate the position of the hacker on the company’s leaderboard to evaluate their consistency and profile, including the accuracy of the hacker and the impact of bugs found, to select the hackers who would participate in a program.

Tucker added that HackerOne was also running Capture The Flag games specifically designed to identify the skills of hackers in specific areas such as mobile apps. Jack Cable, a freshman studying computer science at Stanford University, was also involved in the Dropbox bug hunt in Singapore.

At 19, Cable has been a member of HackerOne for the past three years, participating in over 100 bug bounty programs including Google, Facebook, and the U.S. Department of Defense. To date, more than 250 vulnerabilities have been identified, including over 30 involving the US Airforce. The benefits he earned have been used to finance his college education, but he refused to reveal how much he has earned. He had already identified 10 bugs before the Dropbox live hacking event started.

The Dropbox bug hunt was also attended by fellowHackerOne peer and 26-year-old security engineer Kaung Htet Aung. Since joining HackerOne just under two years ago, Kaung has attended more than 40 programs, including a new live event in New York.

His present tally clock has about 100 vulnerabilities, and before the start of the live hacking event, he too found five vulnerabilities. Kaung studied computer engineering at the Singapore National University, building his hacking skills with HackerOne’s Capture The Flag games.

Cable said that the systems that were weakest and the hardest to infiltrate depended on the maturity and security orientations of the organization’s systems. No matter what, he noted, there would be vulnerabilities in any system. “You’ll find them if you look at it long enough,” he said. “What’s more important is how companies respond to the flaws they find.”

Businesses should recognize that their systems are likely to have flaws and are willing to find and resolve them, Cable said, adding that their systems can only be secure if they first recognize this. Mickos agreed, noting that there were holes in every system and businesses should always try to fix them all.

“Start by not focusing on where you are most vulnerable but where you have the greatest value, including systems containing customer data or medical data,” he said. Internet of Things (IoT) devices, for example, were typically poorly protected, but normally did not contain a lot of sensitive data.

Cable and Kaung both urged companies to always plan and look at security from the beginning and throughout their software development’s entire lifecycle. Cable noted that this would be difficult if businesses had other issues to worry about, but if they took action ahead of time-when developing the software they needed to realize their security posture could be better established. Kaung agreed, adding that as part of his software development timeline, organizations should perform security tests and evaluations. “Although they are developing it, at the same time they are making it secure,” he said, noting that it would also ensure that additional features are not left unsecured.

According to Tucker, there were four to five instances in which members of HackerOne were offered jobs at companies participating in bug bounty programs. Dropbox said it “heavily” invests in developing its own security team and educating its staff about best practices in security and the current threat landscape. This allows everyone in the organization to better arm themselves against attacks like spear-phishing and social engineering, the spokesman said, but did not say how big their security team was. He also refused to show how many hacking attempts Dropbox has detected and blocked a day, but his over 500 million global user base meant that few others globally have the challenges.

He also refused to detail how many hacking attempts have been made in Asia or how many of its users have been from Asia. Dropbox generated $1.39 billion in sales for its 2018 financial year, up 26% from last year, and averaged $117.64 US dollars in revenue from each paying user.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.