Pricing Security Whitepaper P2P Encrypted Chat Blog Desktop App Browser Extension
Upload a file

Responsible Disclosure Policy

Last Updated: February 2026 — Security ModelSecurity Whitepaper

🔒

Report a vulnerability

Email: security@fileshot.io
For general questions: admin@fileshot.io

Quick navigation

FileShot.io is a security-focused product. We take vulnerability reports seriously and we are grateful to security researchers who help make the service safer for everyone. We will work with you to understand, prioritize, and address reported issues as quickly as possible.

We follow a coordinated disclosure model: report privately, allow us time to fix, then disclose publicly if desired. We do not pursue legal action against researchers who follow this policy in good faith.

What's in scope

We are interested in vulnerabilities affecting the following properties and systems:

  • fileshot.io — main web application (upload, download, share)
  • api.fileshot.io — backend API
  • FileShot browser extension (Chrome, Chromium MV3)
  • FileShot desktop application (Windows, macOS, Linux)
  • Zero-knowledge encryption implementation — correctness, key exposure, bypass
  • Authentication & session management — login flows, token handling, session fixation
  • Access control — unauthorized access to files or accounts
  • Password-protected file security — bypass of server-side password gate or of client-side decryption

What's out of scope

The following are generally not actionable as vulnerabilities in our context, and reports about these will be closed without a fix:

  • Attacks requiring physical access to an authenticated user's unlocked device
  • Self-XSS (XSS that requires the victim to enter the payload themselves)
  • Issues only exploitable via social engineering
  • Scanner output with no demonstrated impact (Nikto, Nessus, etc.)
  • Rate limiting on non-sensitive endpoints (e.g., the homepage)
  • Missing HTTP security headers with no demonstrated exploit path
  • TLS configuration issues on non-sensitive subdomains
  • Denial-of-service via file upload (normal use case)
  • Issues in third-party services we depend on (Stripe, Cloudflare, etc.) — report those directly to the vendor

How to report

Send an email to security@fileshot.io with the subject line: [Security] <brief description>

Please do not report vulnerabilities via public issue trackers, social media, or disclosure forums before we have had an opportunity to investigate and issue a fix. This protects FileShot users from exploitation while we work on a solution.

For encrypted communication, contact us first at the above address and we will exchange PGP keys if needed.

What to include in your report

The more detail you provide, the faster we can investigate. Please include:

  • Affected component — which URL, API endpoint, extension feature, or desktop function is affected
  • Vulnerability type — XSS, IDOR, auth bypass, cryptographic weakness, etc.
  • Step-by-step reproduction steps — from a fresh browser/account state
  • Impact assessment — what can an attacker do with this? Which users are affected? What data is exposed?
  • Evidence — screenshots, request/response captures, PoC code (kept private until fix is deployed)
  • Your environment — browser, OS, extension version, or desktop app version
  • Suggested fix (optional but appreciated)

Our commitments to researchers

?

Acknowledgement within 2 business days

We will confirm receipt of your report and assign it a tracking ID.

🔍

Status update within 7 business days

We will inform you whether we consider the issue valid, our severity assessment, and an estimated remediation timeline.

🛡

No legal action for good-faith research

We will not pursue legal action against researchers who follow this policy, act in good faith, and do not exploit vulnerabilities beyond what is necessary to demonstrate them.

💬

Coordinated public disclosure

After a fix is deployed, we support public disclosure at a timeline agreed with you. Default embargo period: 90 days from fix deployment, or sooner at mutual agreement.

Researcher guidelines

To qualify for safe harbor under this policy, we ask that you:

  • Do not access, modify, or delete data that isn't yours. Use test accounts you control. If you inadvertently access real user data, stop immediately and report it.
  • Do not perform DoS or resource exhaustion attacks that would degrade service availability for other users.
  • Do not make changes to production data, configurations, or infrastructure without explicit written permission.
  • Do not publicly disclose the vulnerability until we have deployed a fix and given you the go-ahead (or 90 days have passed after our first meaningful response, whichever comes first).
  • Do not use the vulnerability for personal gain — downloading user files, exfiltrating credentials, using compute resources, etc.

Research conducted in violation of these guidelines may not qualify for safe harbor and could result in referral to relevant authorities.

Recognition

FileShot.io does not currently operate a paid bug bounty program. We genuinely appreciate security research time and effort — it takes skill and dedication.

For valid, significant findings confirmed and fixed by our team, we offer:

  • Public acknowledgement in our security changelog (with your permission)
  • A complimentary FileShot Pro subscription for reports of critical or high-severity vulnerabilities

Reward eligibility is at our discretion based on severity, quality of the report, and adherence to this policy.

Report a Vulnerability Security Model Security Whitepaper