Files.com
External Program
Submit bugs directly to this organization
Files.com
Here at Files.com, we take security seriously and encourage independent security researchers to help us keep our platform secure. We offer a Security Bug Bounty Program (the “Program”) to provide a clear incentive and reward structure for responsible security research on Files.com.
We pay $250 to $10,000 USD, at our sole discretion, for valid reports that identify significant security vulnerabilities. We pay quickly and fairly, every time—provided you follow these rules.
If you have discovered a vulnerability or would like to perform security research against Files.com, you must read and comply with the terms below.
Files.com enforces strict program rules and professional standards.
Failure to comply with these rules—including submitting reports based on assumptions, undocumented expectations, or unprofessional behavior—may result in immediate report closure, negative reputation points, reporter bans, and escalation to HackerOne.
If you believe a report violates our rules, do not submit it.
Testing is authorized only against assets explicitly listed as In-Scope. Any Files.com domain, subdomain, or property not listed—including unlisted subdomains and affiliated entities—is out of scope.
Be professional. Be precise. Use the documentation.
We are interested in vulnerabilities that pose real, material security risk to Files.com or our customers.
Examples include (but are not limited to):
Files.com maintains comprehensive, publicly available API documentation at https://developers.files.com/ that explicitly defines which users and roles are permitted to perform each action in our API.
The web application UI is not to be used as a definition of our security boundaries. The absence of a button, menu item, or workflow in the web UI does not imply that an action is unauthorized via the API.
If you believe an API endpoint permits actions beyond what is intended, your report must reference the relevant API documentation and demonstrate how the behavior contradicts the documented authorization model.
Reports based on:
will be closed as invalid.
In short:
While we encourage the use of CVSS or similar scoring systems, Files.com retains final discretion over severity categorization.
We use CVSS as a starting point and apply additional adjustments, including (but not limited to):
Severity reflects the actual value and impact of the finding to our business and customers.
To participate in our program, you must create trial account on our platform by navigating to Files.com.com and clicking the button to start a Free Trial. That Trial sign up process will create the 'your-assigned-subdomain.files.com' URL to be used for testing.
VERY IMPORTANT: Your account must include the phrase "[BUGBOUNTY]" in the "Company Name" used when registering. (Without the quotes, no space between the two words, but with square brackets.)
Here is an example of the values to use in the Trial sign up form:
Absolutely do not under any circumstances input payment card information (credit card or debit card) or make a payment unless you intend to pay the charge in full. If you properly tag your account as a [BUGBOUNTY] site by following the directions above, we will not prompt you for payment during your testing period.
The following reports are out of scope and will not be rewarded:
Only vulnerabilities exploitable by a standard user without elevated permissions are in scope.
The following behaviors are intentional, documented, and not security issues:
API Capabilities Beyond The UI : The Files.com API exposes functionality not present in the UI by design.
Form Field Sets: Form field sets are available to all users exactly as documented.
User and Group Visibility to Folder Admins: Folder Admins are intended to see all users and groups.
“Allow Users To Create API Keys” Setting: This setting governs API key creation only. It does not restrict deletion or management.
Files.com interprets documentation literally. If it is documented, it is authorized.
Files.com is an FTP, SFTP, and WebDAV hosting service. Obviously this means that we will have an open FTP server on port 21, SFTP on port 22, and it means that our servers respond to DAV verbs.
The Read-Only Site Admin permission really does provide access to read/see to everything that a Site Admin can see. Reports suggesting that the Read-Only Site Admin users should not be able to see something are misguided. They are intended to be able to see everything.
Files.com offers the ability to make a folder publicly hosted at https://subdomain.hosted-by-files.com/folder_name/. This hosting mode is intended to be full-featured web hosting just like any other web hosting provider, meaning that the ability to serve full websites with Javascript is intended. This means that you can upload malicious Javascript to that folder and have it be served. That's intentional. In order for an XSS attack related to public hosting to be in scope, it needs to relate to one Files.com customer attacking another customer, rather than attacking itself.
EXIF Geolocation data not being stripped: Files.com does not alter uploaded content in any way. Users are free to upload and share content any way they want.
Symlinks are not a vulnerability unless they create security risks like unauthorized access or privilege escalation. Reporting their presence alone is not a valid issue without a proven security impact.
We aim to pay bounties as quickly as possible and will pay bounties sometimes before the issue is patched. Therefore, we require that you do not disclose any vulnerability publicly, either before or after the bounty is paid.
If paid a bounty, you may disclose that you received a bounty, but you may not disclose the amount or any information related to the type of vulnerability you found. Under no other circumstances may you disclose anything about your participation in this program.
You are still bound by the Terms of Service you agreed to upon signup for your Trial account. Please read and understand this document as it affects your rights.