Penetration Testing & Vulnerability Scanning

Files.com undergoes third-party penetration testing on at least an annual basis. The scope of penetration testing includes the Files.com application, APIs, SDKs, marketing website, desktop and mobile clients, and the Files.com internal network. By policy, Files.com may not use the same penetration testing vendor in two consecutive annual penetration testing events.

In addition to other standards, we specifically require our testers to include testing related to the OWASP Top 10 vulnerabilities when conducting testing. The OWASP Top 10 includes testing for a multitude of risks, including injections, cache controls, hijacking, browser weaknesses, etc.

Download the latest PenTest Completion Letter.

Files.com also offers the security research community a Security Bug Bounty to help identify weaknesses to be addressed. Customers are welcome to participate in the Bug Bounty Program.

Penetration Testing and Vulnerability Management are reviewed as part of the SOC 2 Audit process. Files.com's InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

We applaud our customers for wanting to perform additional testing against Files.com. With that said, the topic of customer-performed penetration testing is a complicated one. Ultimately, we want to make a distinction between high quality penetration testing such as the testing conducted by high end Enterprise customers and low quality testing from cheap scanning vendors.

We are happy to support the former, and we want to discourage the latter, and therefore we limit customer-performed penetration testing.

Please coordinate with us before performing any testing. We would like to evaluate your choice of vendor prior to beginning any testing. Bad vendors tend to produce volumes of false positive alerts (such as discovering the presence of an FTP service, the use of passive FTP ports, etc.) and no actionable findings. Additionally, many of these vendors use automated scanners that can place high loads on our systems.

In order to conduct a test, you must sign a separate penetration testing agreement. You must also be a Premier or Enterprise customer and must also agree to share with us the results of your testing.

In most cases, we will quickly detect and ban your IP addresses if you attempt a penetration test against us without coordinating with us in advance. If you execute a testing agreement, we will offer to whitelist certain IP addresses for certain amounts of time.

We hope you can appreciate our desire to provide access to customer-performed penetration testing in a safe and efficient manner while protecting the Files.com service as much as possible.

Files.com undergoes regular automated vulnerability scans. These scans include our external public facing systems and the entire internal network. The tools used for scanning utilize the Common Vulnerability Scoring System (CVSS). Files.com leverages the AWS SecurityHub tool to perform daily security reviews of the AWS configuration. Any identified vulnerabilities are closed as soon as possible after detection utilizing the existing Patch Management and Change Management processes.

Files.com undergoes automated web application scanning, including for OWASP Top 10 vulnerabilities. The OWASP Top 10 includes testing for a multitude of risks, including injections, cache controls, hijacking, browser weaknesses, etc. Any identified vulnerabilities are closed as soon as possible after detection utilizing the existing development lifecycle processes.

Vulnerability Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.