Skip to main content
Security & Compliance

Penetration Testing & Vulnerability Scanning

Files.com identifies and remediates vulnerabilities across its infrastructure, codebase, and cloud environment through a combination of manual third-party penetration testing and automated scanning.

These practices are reviewed annually as part of our SOC 2 Type II audit.

Third-Party Penetration Testing

Files.com undergoes third-party penetration testing at least once per year. Each annual test covers:

  • The Files.com web application
  • Public APIs and SDKs
  • Supporting infrastructure

Files.com does not use the same penetration testing vendor in two consecutive years, which keeps the testing objective and broadens the range of techniques applied.

All penetration testing engagements are scoped to validate the OWASP Top 10External LinkThis link leads to an external website and will open in a new tab vulnerabilities. These include (but are not limited to):

  • Injection attacks (e.g., SQL, command, LDAP)
  • Session management flaws
  • Cross-Site Scripting (XSS)
  • Insecure deserialization
  • Broken access controls
  • Browser security misconfigurations

PenTest Completion Letters

Customers can download our PenTest Completion LettersExternal LinkThis link leads to an external website and will open in a new tab for formal confirmation that testing was performed. For additional details, refer to our SOC 2 report, which is available under NDA.

Files.com Bug Bounty Program

Files.com runs a Security Bug Bounty Program so that independent security researchers can responsibly disclose vulnerabilities. The program has helped us identify and resolve security issues in production on an ongoing basis, and customers are welcome to participate or review it.

Automated Vulnerability Scanning

Files.com runs regular automated vulnerability scans, which include:

  • Monthly scans of all public-facing systems and the internal network
  • Daily security posture monitoring through AWS Security Hub, with alerts based on AWS best practices and CVSS (Common Vulnerability Scoring System)
  • Automated web application scanning, including specific checks for OWASP Top 10 risks

Vulnerabilities identified during scanning are prioritized and resolved through our Patch Management and Change Management processes. Web application vulnerabilities are remediated through our secure development lifecycle practices.