Security Bug Bounty Program

Our program for cooperating with independent security researchers looking to help us keep our product secure.

Last Modified: September 5, 2017

Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Programs by Google, Facebook, Mozilla, Github, and others have helped to create a strong bug-hunting community.

Here at Files.com, we celebrate security and we encourage independent security researchers to help us keep our products secure. We offer a Security Bug Bounty Program (the "Program") to create an incentive and reward structure so that researchers are able to devote resources to working on Files.com.

We will pay $100 to $1,000, at our discretion, to any researcher who discovers a significant security vulnerability in Files.com. We pay quickly and fairly, every time, as long as you follow our rules.

If you've found a vulnerability or would like to perform security research against Files.com, please read through the rules below.

Reports We Are Looking For

We want to know about anything about our platform that poses a significant security vulnerability to either us or our customers.

These can include:

  • Privilege Escalation

  • Authentication Bypass

  • Leakage of Sensitive Data

  • Remote Code Execution

  • SQL Injection

  • Cross-Site Request Forgery (XSRF)

  • Cross-Site Scripting (XSS)

  • Code Injection

Bug Bounty Program Requirements

  • To participate in our program, you must create trial account on our platform by navigating to files.com and clicking the button to start a Free Trial. Your account must include the phrase "[BUGBOUNTY]" in the "Site Name" used when registering. (Without quotes, but with square brackets.)

  • Do not create more than one trial account within a 60-day period for the purpose of conducting security research against our platform.

  • Do not attempt to gain access to another user's account or data.

  • Do not impact other users with your testing.

  • Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.

  • Do not publicly disclose a bug either before or after it has been fixed. Public disclosure means disclosure to anyone, even on private "Hacker" websites and forums.

  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

  • Do not upload information about the vulnerability to any site you do not directly own. This includes uploading videos to YouTube, Vimeo, etc, even if marked private.

  • Any scanners or automated tools used to find vulnerabilities need to be rate limited.

  • Decisions made by us regarding the eligibility of submissions are final. Do not write back to dispute a decision.

  • You are expected to be 100% professional and pleasant to work with via E-Mail.

Reports That Do Not Qualify

The following types of reports do not qualify and will not pay a bounty.

  • Vulnerabilities that do not grant any additional ability or privileges beyond normal Files.com features.

  • Vulnerabilities on the files.com marketing website or support website, unless they lead to a vulnerability on the actual Files.com platform.

  • Vulnerabilities that only affect outdated or unpatched browser/plugin versions.

  • Vulnerabilities requiring exceedingly unlikely user interaction.

  • Vulnerabilities, such as timing attacks, that prove the existence of a user or site.

  • Vulnerabilities requiring social or physical attacks.

  • Reports related to denial of service attacks or DNSsec.

  • Insecure cookie settings for non-sensitive cookies.

  • Disclosure of public information and information that does not present significant risk.

  • Vulnerabilities that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.

  • Scripting or other automation and brute forcing of intended functionality.

  • Issues that we can't understand or reproduce.

Commonly False Positive Reports

  • The Custom Header/Footer/CSS/Login Text/etc. fields are intended to be able to contain Javascript or CSS. These are writable only by Site Admins and the ability for admins to insert script there is intended and this is not a vulnerability.

  • Files.com is an FTP, SFTP, and WebDAV hosting service. Obviously this means that we will have an open FTP server on port 21, SFTP on port 22, and it means that our servers respond to DAV verbs.

Reporting any of the above false positives shall result in your being blacklisted from the Program.

Program History

We have paid out over $25,000 in bounties to more than 50 reporters under this program, including both direct reports and our program via HackerOne. We maintain a separate Thank You page on HackerOne for folks who submitted vulnerabilities through that platform.

Bounty Recipients (outside of HackerOne):

  • Mahmoud Reda Abdelmonem

  • Mohammed Abdulqader Abobaker Al-saggaf

  • Ahmed Albanna

  • Hamid Ashraf @hamihax

  • Brett Buerhaus

  • Mohammed Fayez

  • Peter Kim

  • Vineet Kumar

  • Sasi Levi

  • Rafael Pablos

  • Sakshyam Shah

  • Shay Shavit

  • Shailesh Suthar

Thank you to all of you for your participation.

Important Terms

We aim to pay bounties as quickly as possible and will pay bounties sometimes before the issue is patched. Therefore, we require that you do not disclose any vulnerability publicly, either before or after the bounty is paid.

If paid a bounty, you may disclose that you received a bounty, but you may not disclose the amount or any information related to the type of vulnerability you found. Under no other circumstances may you disclose anything about your participation in this program.

You are still bound by the Terms of Service you agreed to upon signup for your Trial account. Please read and understand this document as it affects your rights.

Files.com's program is independent of any aggregation sites or other programs that may exist. Our rules and submission process are described only in this document and will likely deviate from other programs that you may also work with.

To Report a Vulnerability

To report a vulnerability, first re-read this entire page to be sure that you understand the terms. A single violation of the terms set forth on this page will lead to an immediate revocation of your access to the Bug Bounty program and we will not pay any bounties to anyone who has violated any of the terms on this page.

To report a vulnerability, email security@files.com and include the following 5 things:

  • The date you tested for and found the vulnerability

  • A short description of the potential impact

  • The Support PIN from your trial website. (You may obtain this by choosing "Support" from the upper-right hand corner flyout menu.)

  • Your PayPal or Bitcoin address for payment of the bounty.

  • The following affirmative statement (don't just copy and paste, be sure to read it):

    I HAVE READ AND UNDERSTAND AND AGREE TO THE TERMS OF THE BUG BOUNTY PROGRAM. I AGREE TO THE FILES.COM TERMS OF SERVICE. I HAVE COMPLIED AND WILL COMPLY WITH THE RULES OF THE PROGRAM AND THE TERMS OF SERVICE. I HAVE NOT DISCLOSED THIS SUBMISSION TO ANYONE. I DISCOVERED IT MYSELF. I WILL NOT DISCLOSE THIS SUBMISSION TO ANYONE. I DO (or DO NOT) WANT MY NAME PUBLISHED ON YOUR HALL OF FAME IF THIS IS ACCEPTED.

Submissions lacking any of the required elements above will not be eligible for the Program, however, we will obviously evaluate them anyway and we reserve the right to act on their recommendations without notice to the submitter.

If your submission is in compliance with our rules, we will respond as quickly as possible to your submission.

If you do not receive a response within 48 hours and you are absolutely certain that you are in 100% compliance with these rules, please write to us again to check on the status of your submission.

HackerOne Program

We also run a parallel version of the Security Bug Bounty program on HackerOne to encourage more participation in the program. Right now the HackerOne program is Invite-only, but upon launch you will be able to find it here.

Should you prefer to participate in the HackerOne version of our program, please write to us at security@files.com with your HackerOne username and we will send you an invitation.