Security at Filen
At Filen, protecting our customers' data is a top priority, and we genuinely value reports of serious security vulnerabilities in our products.
We no longer run a public bug bounty program. The volume of low-quality and automated submissions made it impossible to give genuine reports the attention they deserve. This page explains how to reach us if you have found a real, high-impact vulnerability.
Do not submit AI-generated reports
Please stop running automated AI scans against Filen and submitting the output. In our experience, well over 99% of AI-generated reports are low-quality and contain no real vulnerability, especially those produced by weaker models. They bury the genuine reports and waste our engineers' time. Any automated or AI-generated report that does not include a working, reproducible exploit will be closed without a response.
What we're looking for
We review original, previously unreported vulnerabilities of high or critical severity that come with a clear, reproducible proof of concept. The kind of impact we care about includes:
1. Authentication bypass or privilege escalation
2. Exposure of other users' personally identifiable information (PII)
3. Access to data outside your own authenticated account
4. Remote command execution or SQL injection
5. Access to deeper parts of our infrastructure
In scope
8. Our mobile app
9. Our desktop client
10. Our CLI
What we won't review
To keep our team focused on real issues, the following are out of scope and will be closed without a detailed response:
1. Theoretical findings with no demonstrated, practical impact
2. Automated scanning of any kind
3. Denial-of-service attacks
4. Social engineering of our employees, users, or contractors
5. Man-in-the-middle attacks, or attacks requiring physical access to a victim's device or our datacenters
6. Missing security best practices (e.g. CSP, email/DNS records, cookies) with no demonstrated exploit
7. Bypassing free-plan limits to access paid features
8. Clickjacking on pages without sensitive actions
How to report
If your finding genuinely meets the bar above, please open a ticket at
https://filen.io/contact and include:
1. A summary of the issue and its potential impact
2. Step-by-step instructions to reproduce it
3. The environment you tested in
4. Proof-of-concept code or a recording that demonstrates the exploit
We review every qualifying report and may follow up for more detail. Please give us reasonable time to investigate and fix the issue before disclosing it publicly.
Rewards
We no longer offer guaranteed payouts. For exceptional, previously unknown high- or critical-severity findings, we may, entirely at our own discretion, offer a reward as a thank-you for your effort and responsible disclosure.
When testing, we ask that you
1. Only test against your own account, or one you have explicit permission to test
2. Make a good-faith effort to avoid privacy violations, data loss, and any disruption to our service
3. Never attempt to expand or escalate the access you obtain, and never access or modify other users' data
4. Report the issue to us privately and give us adequate time to fix it before any public disclosure
Safe harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.