Click to view our Accessibility Statement or contact us with accessibility-related questions

Drop Bounty Program

Drop is proud to offer a reward for security bugs that responsible researchers may uncover: $200 for low severity vulnerabilities and more for critical vulnerabilities. We understand that discovering these issues can require a great deal of time and energy investment on your part, and we are happy to compensate you for your efforts. Please review the documentation below on the details of the program.

What's a valid bug?

Web application vulnerabilities such as XSS, CSRF, SQLi, authentication issues, remote code execution, and authorization issues. The vulnerability must be in the main site or the API. Note that systems we do not control (such as links/redirect to 3rd party sites, or CDNs) are excluded from the scope of the bounty. You must be the first person to responsibly disclose the bug to us, you must have found the vulnerability yourself, and you must follow responsible disclosure principles of giving us a reasonable time to address the issue before you make any information public.

What's not a valid bug?

Although we review each submission on a case-by-case basis, the following are some of the issues which typically do not meet the requirements of our bounty program:

  • Best practices. We don't accept submissions that are simply configuration/policy suggestions.

  • Output from automated tools without a proof of concept. Output that is copied from websites like or vulnerability scanners without a proof-of-concept usually contain a lot of false positives.

  • Security reports that don't pertain to If you're sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.

  • Flaws specific to out of date browsers/plugins. Amongst others, this encompasses versions of Internet Explorer prior to version 10.

  • Logout cross-site request forgery.

  • Username enumeration through login or password reset.

How to report a bug

If you are confident you have found a bug that satisfies our criteria, please email with the relevant details and we'll follow up asap.