Click to view our Accessibility Statement or contact us with accessibility-related questions
Free Standard Shipping in the US on orders over $125
Free Standard Shipping in the US on orders over $125
shopping_cart

Drop Bounty Program

Drop is proud to offer a reward for security bugs that responsible researchers may uncover: $200 for low severity vulnerabilities and more for critical vulnerabilities. We understand that discovering these issues can require a great deal of time and energy investment on your part, and we are happy to compensate you for your efforts. Please review the documentation below on the details of the program.

What's a valid bug?

Web application vulnerabilities such as XSS, CSRF, SQLi, authentication issues, remote code execution, and authorization issues. The vulnerability must be in the main drop.com site or the drop.com API. Note that systems we do not control (such as links/redirect to 3rd party sites, or CDNs) are excluded from the scope of the bounty. You must be the first person to responsibly disclose the bug to us, you must have found the vulnerability yourself, and you must follow responsible disclosure principles of giving us a reasonable time to address the issue before you make any information public.

What's not a valid bug?

Although we review each submission on a case-by-case basis, the following are some of the issues which typically do not meet the requirements of our bounty program:

  • Best practices. We don't accept submissions that are simply configuration/policy suggestions.

  • Output from automated tools without a proof of concept. Output that is copied from websites like ssllabs.org or vulnerability scanners without a proof-of-concept usually contain a lot of false positives.

  • Security reports that don't pertain to drop.com If you're sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.

  • Flaws specific to out of date browsers/plugins. Amongst others, this encompasses versions of Internet Explorer prior to version 10.

  • Logout cross-site request forgery.

  • Username enumeration through login or password reset.

How to report a bug

If you are confident you have found a bug that satisfies our criteria, please email fixme@massdrop.com with the relevant details and we'll follow up asap.

© 2023 Drop
Privacy
Terms of Use
About
About DropAbout Drop StudioGift CardsCareersContact
Drop Refurbished
Like-new products you can trust
Drop Rewards
Get $5 for every 500 points you earn! Learn more
Drop Keyboard Club
Become a member and expand your keycap collection
Collaborate With Us
For Brands & Designers
Support
Community GuidelinesHelp CenterSitemap
Follow Drop
© 2023 Drop
Privacy
Terms of Use