Vulnerability Reporting Policy

Report a Security Vulnerability

At Box our top priority is the safety, security and control of our customers' data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible reporting of potential security vulnerabilities, the Box security team has committed to working with the community to verify, reproduce and respond to legitimate reports.

If you believe you've identified a potential security vulnerability, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.

Responsible Disclosure Guidelines

To encourage responsible disclosure, Box will not initiate any legal action against security researchers as long as they adhere to the following guidelines:

  • Notify Box and provide all details of the vulnerability before making any information public.
  • Provide Box a reasonable amount of time to address the issue before making information public.
  • Provide all details of the vulnerability to support validation and reproduction of the issue.
  • Make a good faith effort to avoid data destruction, theft, privacy violations and interruption or degradation of our service.


Please email your report to security-reports@box.com. We strongly encourage all report emails to be encrypted with our PGP key below.


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

mQENBFT2DvkBCADMpy7WQceCfP+ebV/ZwqXa5BgyTSjwtI+mAL/9lLpDEqoe9kYO jJiTInSkYG32FHiwSPSWzS7ZUveuFK7ZrSyBLzqhMBbQTpzC8XJMoLmH4XYas2fp mGK+WEcITXQeCUR1N13OuirPwYW9Wc2U4+fG5cn7BXHkKebP8dodxnB+tbUMnqOP XMOXrLsKXhHjmyvlnglOarR5sUKWoQUXg9NBhiwRCIDY5IToxXXVrMHVY3V7EK1G /O4+UmG1AB0lhVwAnWmrP1HjiTZ8o2Y3xethkmlnvo5vH/kJqLm+wYKWoMugw+Vt TFCXpqFlk3f6GKIu1hENXLLYfzqg0V4SeWOlABEBAAG0L0JveCBTZWN1cml0eSBS ZXBvcnRzIDxzZWN1cml0eS1yZXBvcnRzQGJveC5jb20+iQE9BBMBCgAnBQJU9g75 AhsDBQkHhh+ABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEMxnRvuFTuRcYawH /0epa6qVQj+IoHJxCrq/wZfUbTFCuLO41dv+m+JCgQs2vKYOHyBAJ9uiGYitrA/R JN50HId1bNOdRRpTvAjI8HfhWzV4j46/q4DWzCGCm67MvfSePg9/GIZDKffjkmzE /THw4kE3rMe4ZYDv6zHpr3pmjjAogkv5fzIs4zCNnwj24fMvCluQ58vZuPVHyn9S Ci+MzlIeifWswyOAYRLuxsR/8nRz6wQdCU4baS7+mHFbG3LWaXc2kMYtMsPnEG/s 213e1fxPYvlPf6Au/WwnAPxxMtO7WKz2PAeLZJAD5/ey3uVvh5G6Lr2HVhOV/c+P fas+DuMw6/Fb/+7LhcsS8aG5AQ0EVPYO+QEIAJqYEoxTG6CK9yl3p0sxBsoBMHny IDFbKq8QSsNrqWA9w1OzMvaZbKXvfx4vwTUR5nnHWByPk7oX/GTW6CB03LP7/Tjr tzij4b1Pr0zppyLTBLAZZu8intiHiecVn2wxf5UvoAbC2of2uN7NCDK7HnxHSUY3 UZYt3Zq52XJH0hg/WV68d4cHcrwXcdYqlVGce2pB3XoRqkXSpSnaxxTz6XYq0LV/ VGU5L3sM44EYKi8JPcD6EbyfG1UQrjQayi7PSFVHtpWic84IDyrNme6nmfk0u6Xg LigR4m6vX+fbhU26DSjh9AcgjFGKxe55xCpf7jDtWrAusoYl3o4UiFPQdtkAEQEA AYkBJQQYAQoADwUCVPYO+QIbDAUJB4YfgAAKCRDMZ0b7hU7kXDznCAC0Zj3hAAWB VDAS5J6/4StFuqmYxS4g66WLOgH10+jKVW4PNzW9Dqe5WilsCC6vim36v2Y3Z8g3 ZyACfD0nPemrgOTlKQbNb50bl+MFHR1/NrH5jN7vxPyxsh9wkOzJs04HdxyBddLG eQlMr7BMysnaO8LmOXhhd7F9KgoCDEcN80J/BUHHinRTaabQrOROl8TkUDJ94SW9 ceKuDAl2pm2pJfOfFXPNAl6hQeCyTPypsFs4+z/Dla5bud/39DR4iG4484JFuloQ Z5WOCEoAHprXQ2QlPEdQD2GRafxm6Y1LLAcpw/BntpFbelp9OfQkDKI0blKGysPY TseKXBrZNfCp =ZFAL

-----END PGP PUBLIC KEY BLOCK-----