Drop is proud to offer $500 and up for critical security bugs that responsible researchers may uncover. We understand that discovering these issues can require a great deal of time and energy investment on your part, and we are happy to compensate you for your efforts. Please review the documentation below on the details of the program.
Web application vulnerabilities such as XSS, CSRF, SQLi, authentication issues, remote code execution, and authorization issues. The vulnerability must be in the main drop.com site or the drop.com API. Note that systems we do not control (such as links/redirect to 3rd party sites, or CDNs) are excluded from the scope of the bounty. You must be the first person to responsibly disclose the bug to us, you must have found the vulnerability yourself, and you must follow responsible disclosure principles of giving us a reasonable time to address the issue before you make any information public.
Although we review each submission on a case-by-case basis, the following are some of the issues which typically do not meet the requirements of our bounty program:
Best practices. We don't accept submissions that are simply configuration/policy suggestions.
Output from automated tools without a proof of concept. Output that is copied from websites like ssllabs.org or vulnerability scanners without a proof-of-concept usually contain a lot of false positives.
Security reports that don't pertain to drop.com If you're sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
Flaws specific to out of date browsers/plugins. Amongst others, this encompasses versions of Internet Explorer prior to version 10.
Logout cross-site request forgery.
Username enumeration through login or password reset.
If you are confident you have found a bug that satisfies our criteria, please email firstname.lastname@example.org with the relevant details and we'll follow up asap.