At Box our top priority is the safety, security and control of our customers' data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible reporting of potential security vulnerabilities, the Box security team has committed to working with the community to verify, reproduce and respond to legitimate reports.
If you believe you've identified a potential security vulnerability, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.
Responsible Disclosure Guidelines
To encourage responsible disclosure, Box will not initiate any legal action against security researchers as long as they adhere to the following guidelines:
- Notify Box and provide all details of the vulnerability before making any information public.
- Provide Box a reasonable amount of time to address the issue before making information public.
- Provide all details of the vulnerability to support validation and reproduction of the issue.
- Make a good faith effort to avoid data destruction, theft, privacy violations and interruption or degradation of our service.