Vulnerability Reporting Policy
Report a Security Vulnerability
At Box our top priority is the safety, security and control of our customers' data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible reporting of potential security vulnerabilities, the Box security team has committed to working with the community to verify, reproduce and respond to legitimate reports.
If you believe you've identified a potential security vulnerability in any Box services, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.
Please do not disclose your findings until we have had the opportunity to review and address them with you. Box will consider the researcher's request to make a public disclosure but reserves the right to deny such disclosure requests. We appreciate your help in keeping Box secure for our community.
Responsible Disclosure Guidelines
To encourage responsible disclosure, Box will not initiate any legal action against security researchers for assessing vulnerabilities as long as they adhere to this policy, including the following guidelines:
- Box has partnered with HackerOne for our vulnerability disclosure program. Notify Box and provide all details of vulnerabilities you find using the HackerOne form below.
- Provide all details including the Box account username, IP address and the date/timestamp of the vulnerability to support validation and reproduction of the issue.
- You may only test against your own Box accounts. Do not interact with an enterprise and/or personal Box account that you don’t own (such as by modifying or accessing data from the account).
- Do not access or attempt to access data that does not belong to you.
- Do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive data or probing for additional issues.)
- Do not perform actions that may negatively affect Box or its users, such as: executing or attempting to execute any “Denial of Service” attack, posting, transmitting, uploading, linking to, sending or storing any malicious software and/or file, testing third-party applications, websites or services that integrate with or link to Box applications.
- Do not conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure and employees of Box.
- Do not test the physical security of Box offices, employees, equipment, etc.
- Do not violate any law or disrupt or compromise any data that is not your own.
- By reporting a security bug or vulnerability, you give us the right to use your report for any purpose.
Public Acknowledgement Policy
At this time, Box does NOT maintain a public facing list of externally reported issues and reporters.
Box may cancel this program or change this policy at any time. Please review the current version of policy at https://www.box.com/about-us/security before performing any vulnerability testing or taking any other action based on the policy.
Policy last updated on this date: August 29, 2019