"For now, the Dropbox, Carousel, and Mailbox iOS and Android applications; the Dropbox and Carousel web applications; the Dropbox desktop client as well as the Dropbox Core SDK are eligible for the bounty program. We may also reward for novel or particularly interesting bugs in other Dropbox applications."
There are a series of rules which security researchers will have to follow to be eligible for the rewards.
"You are responsible for complying with any applicable laws, and you should only use your own accounts or test accounts for reporting vulnerabilities.
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
- Share the security issue with us in detail
- Give us a reasonable time to respond to the issue before making any information about it public.
- Not access or modify user data without permission of the account owner.
- Act in good faith not to degrade the performance of our services (including denial of service)."
More can be read from HackerOne Post concerning the program and the rules [Click Here!]