Dropsuite Bug Bounty Program

Dropsuite is committed to keeping our customers’ data and systems secure. We reward responsible disclosures of vulnerabilities according to our Bug Bounty Program. Our Bug Bounty Program is open to the public, to avoid any misunderstandings, we assume that you have read and understood these guidelines if you participate in our program.


Any of Dropsuite’s web services that handle end user data are in scope. Including:


To be eligible for the Program, you must not:

  • Be in violation of any national, state, or local law and your testing must not violate any law or disrupt or compromise any data that is not your own.
  • Be an employee of Dropsuite or its partners.
  • Be an immediate family member of a Dropsuite employee (or was in the six months before your submission).
  • Be less than 18 years of age.

You must be reporting in an individual capacity. Dropsuite maintains the sole discretion to determine eligibility. If we determine that your Submission is eligible and offer an award, we will notify you of the amount and provide you with paperwork that must be completed before we can provide the award payment.

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • SQL Injections
  • Authentication or authorization flaws
  • Server-side code execution
  • Remote code executions

Non-qualifying vulnerabilities

  • Issues found through automated testing
  • Denial of Service attacks
  • Brute Force attacks
  • Spam or Social Engineering techniques
  • SPF, DKIM, and DMARC issues
  • Content injection
  • Hyperlink injection in emails
  • Content Spoofing
  • Full-Path Disclosure
  • Clickjacking with no sensitive actions
  • Strict Transport Security (HSTS)
  • Self-XSS
  • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
  • X-Content-Type-Options
  • Open ports without a vulnerability
  • Bugs that do not represent any security risk
  • Security bugs in third-party applications
  • Bugs requiring exceedingly unlikely user interactions

Report Process

Please submit your Report via email to dpo@dropsuite.com. In your Report, please include the following information:
  • Vulnerability type (buffer overflow, integer overflow, …)
  • Issue impact (arbitrary code execution, information disclosure, …)
  • Affected product and version
  • Instructions to reproduce the issue
  • A proof-of-concept (PoC)
Based on the severity that we determine the bug to be, we may take between 1 to 4 weeks to reply to your submission.

Disclosure Rewards

The final reward amount is solely determined by Dropsuite team consisting of our technical staff and is based on the estimated risk posed by the vulnerability. The current reward range is from USD 50 to USD 1,000.

If you report several issues that are duplicates in different parts of the service (e.g., the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be paid.

The following list provides several bug classes and their corresponding bounty.

  • Low Severity Bugs USD 50 and up
  • Medium Severity Bugs USD 100 and up
  • High Severity Bugs USD 250 and up
  • Critical Severity Bugs USD 500 and up