Bug Bounties at Filen

Help us keep Filen secure by reporting real, high-impact vulnerabilities responsibly.

At Filen, protecting our users' data is one of our highest priorities. As an end-to-end encrypted cloud storage provider, security and privacy are at the core of what we build.

We genuinely value responsible security research and appreciate researchers who take the time to submit original, reproducible, high-quality vulnerability reports. At the same time, we have seen a sharp increase in automated, low-effort, and AI-generated submissions that do not describe real vulnerabilities and often contain technically incorrect assumptions.

To make sure genuine reports receive the attention they deserve, we have changed how we handle security submissions.

We no longer run a classic bug bounty program

Filen no longer operates a public bug bounty program with guaranteed payouts.

We still review serious security reports, especially previously unknown high or critical severity vulnerabilities with clear practical impact. However, submitting a report does not guarantee a reward. Any reward is offered entirely at our discretion and depends on the severity, originality, reproducibility, quality, and real-world impact of the finding.

Our goal is simple: we want to focus our engineering resources on real vulnerabilities, not on reviewing automated output or speculative reports that do not demonstrate an actual issue.

Do not submit AI-generated or automated reports

Please do not run automated AI scans against Filen and submit the generated output as a vulnerability report.

In our experience, the overwhelming majority of AI-generated reports contain no real vulnerability. They often describe issues that do not exist, misunderstand how our systems work, or repeat generic security advice without demonstrating any practical impact.

Reports that are clearly AI-generated, automated, copied from scanners, or low effort will be closed without a detailed response.

This includes reports that:

1. Contain no working proof of concept
2. Describe only theoretical or generic risks
3. Claim a high or critical severity issue without demonstrating real impact
4. Are based on automated scanner output without manual verification
5. Include incorrect assumptions about Filen’s architecture or encryption model
6. Appear to be mass-submitted to many companies with minimal changes

If you use AI tools to help write, format, or explain your report, that is not the problem. The issue is submitting unverified AI output as if it were a confirmed vulnerability.

A qualifying report must still be original, manually verified, technically correct, reproducible, and relevant to Filen.

What we are looking for

We are interested in original, previously unreported vulnerabilities of high or critical severity that include a clear, reproducible proof of concept.

Examples of issues we care about include:

1. Authentication bypass or privilege escalation
2. Access to data outside your own authenticated account
3. Exposure of other users' personally identifiable information
4. Remote command execution
5. SQL injection with demonstrated practical impact
6. Access to deeper parts of our infrastructure
7. Serious flaws affecting Filen’s security or privacy guarantees

A strong report should clearly explain what the issue is, why it matters, how it can be reproduced, and what real-world impact it has.

In scope

The following assets are in scope for serious vulnerability reports:

1. https://filen.io
2. https://app.filen.io
3. https://gateway.filen.io
4. https://ingest.filen.io
5. https://egest.filen.io
6. https://socket.filen.io
7. https://cdn.filen.io
8. Filen mobile apps
9. Filen desktop client
10. Filen CLI

Out of scope

To keep our team focused on real security issues, the following are out of scope and may be closed without a detailed response:

1. AI-generated reports without a working, reproducible exploit
2. Automated scanning results of any kind without manual verification
3. Theoretical findings with no demonstrated practical impact
4. Denial-of-service attacks
5. Social engineering of our employees, users, partners, or contractors
6. Man-in-the-middle attacks that require control over a victim’s network
7. Attacks requiring physical access to a victim’s device
8. Attacks requiring physical access to our datacenters or infrastructure
9. Missing security best practices without a demonstrated exploit, including generic CSP, cookie, DNS, email, or header findings
10. Clickjacking on pages without sensitive actions
11. Bypassing free-plan limits to access paid features
12. Reports about https://filen.io/hub/
13. Duplicate reports or issues already known to us
14. Reports submitted only to request a reward without demonstrating a real vulnerability

How we evaluate reports

When reviewing a report, we consider:

1. Whether the vulnerability is real and reproducible
2. Whether it was previously unknown to us
3. The realistic impact on Filen, our users, or our infrastructure
4. The likelihood and practicality of exploitation
5. The quality and clarity of the report
6. Whether the researcher followed this policy and tested responsibly

A report marked as “critical” or “high” in the title will not be treated as such unless the content of the report clearly supports that severity.

Rewards

We no longer offer guaranteed payouts for security reports.

For exceptional, previously unknown high or critical severity vulnerabilities, we may offer a discretionary reward as a thank-you for responsible disclosure. The amount, if any, depends on the demonstrated impact, exploitability, report quality, and overall relevance of the finding.

Low, informational, theoretical, duplicate, automated, or AI-generated submissions are not eligible for rewards.

Submitting a report does not create any entitlement to payment.

How to report a vulnerability

If your finding meets the criteria above, please contact us through:

https://filen.io/contact

Please include:

1. A clear summary of the issue
2. The potential impact
3. Step-by-step reproduction instructions
4. The environment you tested in
5. Proof-of-concept code, screenshots, or a short recording demonstrating the exploit
6. Any relevant account IDs, request examples, logs, or timestamps

Please keep your report concise, factual, and focused on the verified vulnerability.

Responsible testing

When testing Filen, we ask that you:

1. Only test against your own account or an account you have explicit permission to use
2. Avoid accessing, modifying, deleting, or exfiltrating other users' data
3. Make a good-faith effort to avoid privacy violations, data loss, and service disruption
4. Do not attempt to escalate access beyond what is necessary to prove the issue
5. Do not perform denial-of-service testing
6. Report the issue privately and give us reasonable time to investigate and fix it before any public disclosure

Safe harbor

Activities conducted in a manner consistent with this policy will be considered authorized conduct. We will not initiate legal action against researchers who act in good faith, follow this policy, and avoid harm to Filen, our users, and our infrastructure.

If a third party initiates legal action against you in connection with activities conducted under this policy, we will take reasonable steps to make it known that your actions were conducted in compliance with our policy.

Thank you

We appreciate serious, responsible security research. Genuine, well-documented reports help us improve Filen and protect our users.

At the same time, we ask researchers not to submit automated, speculative, or AI-generated reports that do not demonstrate a real vulnerability. Reducing noise allows our team to spend more time on meaningful reports and respond more effectively when a real issue is found.

Thank you for helping us keep Filen secure.

The Filen Security Team