Sign in Subscribe

Bug Bounties at Filen

Last updated on 
Bug Bounties at Filen

At Filen, we care deeply about the security and privacy of our users. As an end-to-end encrypted cloud storage provider — and as a company rooted in cybersecurity — protecting our systems and data is more than just a priority. It’s a fundamental part of our identity.

We’ve maintained a Bug Bounty Program to encourage independent security researchers to responsibly disclose vulnerabilities, and this has helped us identify and resolve issues before they could pose a risk in the real world.

This post provides additional insight into how we internally evaluate reports and determine reward amounts. We want to be transparent about our process — while also setting clear and realistic expectations.

💶 A Note on Rewards

As a small, independently funded team, we’re operating with limited financial resources. That said, we greatly value the work of researchers and do our best to offer fair rewards based on impact, report quality, and severity.

Below is an overview of our reward tiers. These ranges serve as general guidance — depending on context and technical depth, we may adjust payouts accordingly.

Severity Levels and Reward Ranges

🟢 Low (Class 4)

What it means:
Minor or mostly theoretical vulnerabilities that pose little or no practical security risk.

Examples:

  • Clickjacking
  • Missing or misconfigured security headers
  • Information disclosure via verbose error messages

Reward Range:
💰 €0–€50

🟡 Medium (Class 3)

What it means:
Issues that are technically valid and may pose a security concern, but are difficult to exploit or require specific edge-case conditions.

Examples:

  • Reflected XSS
  • CSRF with limited scope
  • Subdomain takeover
  • Rate limiting bypass

Reward Range:
💰 €50–€100

🟠 High (Class 2)

What it means:
Vulnerabilities that may affect user privacy, authentication mechanisms, or business logic in a meaningful way — particularly if they can be exploited without advanced access.

Examples:

  • Stored XSS in internal/admin interfaces
  • Privilege escalation via mass assignment
  • IDOR exposing data from other users
  • Sensitive information leakage through API responses

Reward Range:
💰 €100–€500

🔴 Critical (Class 1)

What it means:
Theoretical vulnerabilities which, under certain rare and specific conditions, might allow a complete compromise of critical systems or access to sensitive user data — if successfully exploited.

Examples:

  • Full database access including PII
  • Authentication bypass (e.g. via IDOR)
  • Unauthorized admin-level access
  • Admin panel access without authentication

Reward Range:
💰 €500–€1,000 (In exceptional cases, up to €1,500)

📝 How We Evaluate Reports

When assessing a vulnerability report, we take into account:

  • The realistic impact and likelihood of exploitation
  • The clarity, reproducibility, and quality of the report
  • Whether the issue was previously known or reported

We encourage well-documented, responsibly disclosed findings — even if you're unsure of their severity. Every valid report helps us harden our infrastructure and improve overall security.

🔗 Want to Report Something?

You’ll find all official details and submission guidelines on our Bug Bounty Program page. For sensitive disclosures, please contact us here: filen.io/contact
marketing@filen.io
filen.io/pgp

Whether you're reporting a critical issue or just something minor — thank you. Your work helps us move forward, and we appreciate your role in making Filen safer for everyone.

The Filen Security Team