Vulnerability Reporting Policy

Report a Security Vulnerability

At Box our top priority is the safety, security and control of our customers' data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible reporting of potential security vulnerabilities, the Box security team has committed to working with the community to verify, reproduce and respond to legitimate reports.

 

If you believe you've identified a potential security vulnerability, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.
 

Please report any Box account or content abuse issues to abuse@box.com
 

Responsible Disclosure Guidelines

To encourage responsible disclosure, Box will not initiate any legal action against security researchers as long as they adhere to the following guidelines:

 

  • Notify Box and provide all details of the vulnerability before making any information public.
  • Provide Box a reasonable amount of time to address the issue before making information public.
  • Provide all details of the vulnerability to support validation and reproduction of the issue.
  • Make a good faith effort to avoid data destruction, theft, privacy violations and interruption or degradation of our service.

 

Please email your report to vulnerability-disclosure@box.com. We strongly encourage all report emails to be encrypted with our PGP key below.

 

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF0Kxe4BEADdN+rBtA46KZASUX1kUoc67l3brDDsNFM7iIQPtyMpjFvMhwtc Uy8T63H7gIMpg0gRIzC++XMwFDN1gaw5/d2l8NDMrqr73Jb9o6v9tNzGTBKZtFX4 WFZW+mUpP/9KZcoaV1E+pVVbxjP3rmjLCFp4n4z/FoOEfXb0C1hKBb0C0LcIkeeS UXfbyyCmfkQsR/HPEn8iFsVkzMKhKkt7Z5uhSJaEUsDlVcb6QoWz1MzOOSBoLN5W wb1M3NVv+k+Qm7nzMxA4pc8InXPRNx4MxLbrvUc49b6v43MFwASxIettZm7bFcco I355jYZO0G0QDAxFKUDFv64Il7X4nmNXfzSA2p1nDza3NOPsePCV03eptDkwdn+T iASPx+kN68zXBlg7KjQ+T8D07/GPy5Qi0OnxOmslG7uDNqVNwlp/eG2L4o+Zhua7 3KcyDfN86+qldbRPslvcyI3T/pG5D8MfMLlQeXmNEEA2MjeByaW6tmM1bzHpRc3b 90cuP1klNxha9DYLftm/ojx7gwO7CN0jp+5e4e+QwafW3pRfFjpRVKvjOVMEhVS6 vrAngstjmxeDB5ZaoLVGI+E1ymKfIMAntz5R2lWWBakb25rjfbWFzE1QYJFufU56 WJ6A4BHqHfG95sRKHpUq4SLUiG05v5FPyYpcfl+wQNcm2RVlI9CKTTKUeQARAQAB tD9Cb3ggVnVsbmVyYWJpbGl0eSBEaXNjbG9zdXJlIDx2dWxuZXJhYmlsaXR5LWRp c2Nsb3N1cmVAYm94LmNvbT6JAlQEEwEIAD4WIQQQLpWFe7wr6NWauvpx3MXIsirR SgUCXQrF7gIbAwUJBaOagAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBx3MXI sirRSjbVEACfoYoB4illacyuEG6PFj4UPsrjlnGUCBauf0iJ0SH1bJu21/yjSv8l 22KYlhYYvXNnbWf5k7HNkGp90GwDE3GWThm7qmZLBTXMvHVp35zB4C00I2FYiJbe rK2EW9MYZDIzFx/55BDE+D7GqgCVyIPTp65vvIetEDt+MsEtNuf2uxzs1CcPe2Z1 9ZMzq5kGiT7rjzDaZZNJdqCY+6jNqmyBTJR0RhWdpDkTexgT4AUZAA6Ofwp4JXgL c7qz3+09CIwHEASKmrJAK8VXKQgTSlkJP000nIAuhS8jYtFmjMD1k0XEgk5yIN9h BLwVU96ilrLOWRQwOMgNS0SQp3UcGBX3dYmJhvAp6XfX+Rt0pI8Pw0dzzr3XLsP9 uIAs7ACLl/JOQYeiAqmls7kS9QQUDD0trsqoycTOXXptjiYv2Syb7aK9g95m6f+b JMI6QHfo7snyxzvjp+ryNVqCNQwZTjfA2oyDEUxJZmd3CnkSjgT4EYELS7cg9r0q UGN5xZGwDSibRW9uFLH8UXwpd/Maw3/9kHT/4DP/A7KfTRyHZaJ0uQqNF6E2uBVQ jINGYNwtm3ddKgtqDoBy2tRzEJLj2mlM97Nd0STPdpJy3EP1auMbBoiGwe8B4wKE 0zSejllnRV2/saW0p06762gQo3B0nym5+QNzY8HZLmAw6h4335RwsLkCDQRdCsXu ARAAtU6zcd5mbfw54JC5WOIxQi7wmTNRCo8ihpAjKtmDSLYiju3zJiY3cJtm7YXE BK//fJLKg5Yb15kmndx8VWdzU9rLeTpGmXM+Kdr3jJB1kSmPVdnbg3rhYmSqa4jh 8oSS8luuWtrzHDT93EyPQxaH+GiJmxXOmcIMrvm0jusZJAFKPpA6Iw/dN0nKaQ8T sBLmDJG/+F0bTVvxdoz41IGMQz6wP8zP7LN6Juw3N+HUBieY3UTbBkWXPWuRnamm FBlcc/mRdYY28/cT5FL0E/tlyo/yYt8z2fxXh2jdz2hc94q2IOPuhcqvORSgc0h9 aBEz1qsDo5edBC1ZO9KGgSvRb/0G+dIyFIX8rNUA7+EL26dP0YzNABBkDw2MpnL8 MlD5hsja7/NBE2MGZJZ1hLCzITwL12KtkKDdnei+UBTwwjOAg0Oi5lp+tXV0ch24 D3Sfygb4u0BaP8x0KdYSp/CrKtKydx3u4SZFVv11n9SmTCkSV1TZuoRckoCIAszx 7HJmCZFlw0vuvosf6K8eQT8mZUbIXbBNeNn4+O8ZcHfNUkD9rbafRU/J6N7E2CSc I8abalAjKOXMHJVf0RKrSuQrYRfRnZ5a/UjG5tmEuPRILn6xQsXLBcG55n+OFyyY oZh5xeEhgtw5sV/+fBQq46NVfy6ZDMFWZxT9Wo0Ez+0F2HUAEQEAAYkCPAQYAQgA JhYhBBAulYV7vCvo1Zq6+nHcxciyKtFKBQJdCsXuAhsMBQkFo5qAAAoJEHHcxciy KtFKJ84P/iQ6A/212n6k/dnXmiXfrPI4WgvoB3K8QEm8XPApu7Yer0REiBDBIJL2 LxS2f9zr1Xkzn8dYG5wyMPCFw/biKUEGbuxRA7uYcxR8QFhhqswKXfo5CIylGn3J ZVlnyA0r8VuC++lW6P0F2l0yvJeeBoYDRNm12V65LktsmL0Zhv4xGn6gnHMeBKo1 wouybQ5nkrtXnMdpDkkRZzW672NiBhUuYz1+rqmXW4iobhmX7tPBoqtQkbVbpEna 7mAwJqn+v5jz/3FOIlp+CaRkgDyw4EbD4HwwgeMq1rJFc4kNLM7psHwHdj2EdsO0 85BVA/+y4nyLDx/UCqjIRa07pa5AHxTKy2KK8J9ZBR2knltLc/TV6IKEyUKfv4c1 L7YqedwONAcgECQoenTstvSeufo0Jc2CmBYp0BJk/V4puwOq5JpDJyFsAd9a/Rtz qnP/iHaCRFLT/ZL8OuYO944KRcVdhH3h2y/KFsJTqPpaV64xkzx44VXmZY69DNbM zIMOmveSyCDDsdsQ7jUkRKyTIRbwal/MkP/DsbTP/9M2Era5cGvnSCk6GFQ7CDTo b7vBeIInccLpT9gFdWOA8vs5TvRbJQu33ecxudpSr5jfgQKH9AR677U1RHRFX0H0 2RiOiB0/J9cbXfZtmIFzLvou7iJqmMiekfwWb1q3rPbt3+4Rr5qv =5Wd6

-----END PGP PUBLIC KEY BLOCK-----