submit bug report: https://www.files.com/Here at Files.com, we celebrate security and we encourage independent security researchers to help us keep our products secure.
We offer a Security Bug Bounty Program (the "Program") to create an incentive and reward structure so that researchers are able to devote resources to working on Files.com.
We will pay $100 to $10,000, at our discretion, to any researcher who discovers a significant security vulnerability in Files.com. We pay quickly and fairly, every time, as long as you follow our rules.
If you've found a vulnerability or would like to perform security research against Files.com, please read through the rules below.
NOTE: Testing is only authorized on the targets listed as In-Scope. Any domain/property of Files.com or Action Verb LLC (the owner and operator of Files.com) not listed in the targets section is out of scope. This includes any/all subdomains not listed in the In-Scope section.
Reports We Are Looking For
We want to know about anything about our platform that poses a significant security vulnerability to either us or our customers.
These can include:
Privilege Escalation
Authentication Bypass
Leakage of Sensitive Data
Remote Code Execution
SQL Injection
Cross-Site Request Forgery (XSRF)
Cross-Site Scripting (XSS)
Code Injection
... and more!
On the marketing site asset (
https://www.files.com) we are looking for vulnerabilities that lead to a vulnerability on the actual *.files.com platform.
Bug Bounty Program Requirements
To participate in our program, you must create trial account on our platform by navigating to Files.com.com and clicking the button to start a Free Trial. That Trial sign up process will create the 'your-assigned-subdomain.files.com' URL to be used for testing.
VERY IMPORTANT: Your account must include the phrase "[BUGBOUNTY]" in the "Company Name" used when registering. (Without the quotes, no space between the two words, but with square brackets.)
Here is an example of the values to use in the Trial sign up form:
Company name: [BUGBOUNTY] Trial Company
Phone Number: 555-555-5555
Work email:
[email protected]Password: Pa55w0rd
Absolutely do not under any circumstances input payment card information (credit card or debit card) or make a payment unless you intend to pay the charge in full. If you properly tag your account as a [BUGBOUNTY] site by following the directions above, we will not prompt you for payment during your testing period.
Failure to abide by the above will result in your full disqualification from this program.
Additional Rules:
Do not create more than four trial accounts within a 60-day period for the purpose of conducting security research against our platform.
Do not attempt to gain access to another user's account or data.
Do not impact other users with your testing.
Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
Do not publicly disclose a bug either before or after it has been fixed. Public disclosure means disclosure to anyone, even on private "Hacker" websites and forums.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Do not upload information about the vulnerability to any site you do not directly own. This includes uploading videos to YouTube, Vimeo, etc, even if marked private.
Any scanners or automated tools used to find vulnerabilities need to be rate limited.
Decisions made by us regarding the eligibility of submissions are final. Do not write back to dispute a decision.
You are expected to be 100% professional and pleasant to work with via E-Mail.
Reports That Do Not Qualify
The following types of reports do not qualify and will not pay a bounty.
Anything related to billing, pricing, ability to get "free" service, ability to not be charged for certain types of usage, etc. Our billing is all manually reviewed and none of these things are a problem in practice.
Reports related to actual authenticated Site Admins being able use their position as Site Admin to attack other users by using sitewide administration features.
Vulnerabilities that only affect outdated or unpatched browser/plugin versions.
Vulnerabilities requiring exceedingly unlikely user interaction.
Vulnerabilities, such as timing attacks, that prove the existence of a user or site.
Vulnerabilities requiring social or physical attacks.
Reports related to denial of service attacks or DNSsec.
Insecure cookie settings for non-sensitive cookies.
Reports related to HTTP Digest authentication being better than HTTP Basic (it isn't)
Reports related to password strength requirements
Disclosure of public information and information that does not present significant risk.
Vulnerabilities that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.
Scripting or other automation and brute forcing of intended functionality.
Issues that we can't understand or reproduce.
Vulnerabilities that involve running local code to modify or manipulate the desktop application on Windows or Mac.
Reports related to the Quarantine feature on Mac.
Commonly False Positive Reports
Files.com is an FTP, SFTP, and WebDAV hosting service. Obviously this means that we will have an open FTP server on port 21, SFTP on port 22, and it means that our servers respond to DAV verbs.
EXIF Geolocation data not being stripped. Files.com does not alter uploaded content in any way. Users are free to upload and share content any way they want.
Files.com offers the ability to make a folder publicly hosted at
https://subdomain.hosted-by-files.com/folder_name/. This hosting mode is intended to be full-featured web hosting just like any other web hosting provider, meaning that the ability to serve full websites with Javascript is intended. This means that you can upload malicious Javascript to that folder and have it be served. That's intentional. In order for an XSS attack related to public hosting to be in scope, it needs to relate to one Files.com customer attacking another customer, rather than attacking itself.
Important Terms
We aim to pay bounties as quickly as possible and will pay bounties sometimes before the issue is patched. Therefore, we require that you do not disclose any vulnerability publicly, either before or after the bounty is paid.
If paid a bounty, you may disclose that you received a bounty, but you may not disclose the amount or any information related to the type of vulnerability you found. Under no other circumstances may you disclose anything about your participation in this program.
You are still bound by the Terms of Service you agreed to upon signup for your Trial account. Please read and understand this document as it affects your rights.
To Report a Vulnerability
To report a vulnerability, first re-read this entire page to be sure that you understand the terms. We may refuse to pay bounties if you violate the terms on this page, even if we act on the submission.
We will respond as quickly as possible to your submission.