PhotonFile Logo

PhotonFile

Responsible Security Disclosure

Security at PhotonFile

PhotonFile is built around privacy-first architecture, explicit user control, and systems designed to minimize retained data in Relay while protecting persistent encrypted data in Photon Vault. If you believe you've discovered a security issue, we welcome responsible disclosure and clear, reproducible reports.

How to report an issue

Please send security reports to [email protected].

A useful report should include a clear description of the issue, affected endpoints or components, reproduction steps, proof of concept where applicable, and an explanation of practical impact. Reports that are generic, theoretical, or not reproducible may not be reviewed.

What a strong report looks like

High-quality reports are clear, reproducible, and focused on real-world impact. A good submission typically includes:

  • Summary: One or two sentences describing the issue and affected area
  • Steps to reproduce: Exact steps, including URLs, requests, or actions
  • Proof of concept: Screenshots, request/response samples, or minimal code
  • Impact: What an attacker could realistically do
  • Scope: Which users, roles, or systems are affected

Example format 

Summary:
User can access another user's vault metadata via direct object reference

Steps:
1. Login as user A
2. Navigate to /api/vault?id=1234
3. Modify id to another user's vault
4. Observe metadata returned

Impact:
Unauthorized access to vault structure and metadata

Notes:
Requires valid session but no additional privileges

High-value reports usually involve

  • Unauthorized access to accounts, teams, vaults, or files
  • Authentication or authorization bypass
  • Exposure of sensitive metadata or security tokens
  • Privilege escalation across users or team roles
  • Cryptographic weaknesses or key handling failures
  • Ways to access or modify data without permission

Reports that are usually out of scope

  • Automated scanner output without demonstrated impact
  • Missing headers or best-practice suggestions without exploitability
  • Self-XSS or issues that only affect the reporting user
  • Issues requiring unrealistic or contrived user interaction
  • Previously known, duplicate, or already disclosed issues
  • Intended product behavior and policy disagreements

Session management note

PhotonFile intentionally separates password changes from global session revocation. Users can explicitly revoke active sessions across devices using the dedicated session control in account settings.

Behavior where active sessions persist after a password change, unless the user separately chooses to revoke them, is not considered a security vulnerability by itself.

Reward policy

While PhotonFile does not run a formal bounty program, we do reward meaningful, well-documented security findings that materially impact user safety or platform integrity.

However, we do recognize and reward high-quality, impactful security findings at our discretion. Reports that demonstrate clear, reproducible issues with meaningful impact to user security are much more likely to be considered.

Safe harbor

We will not pursue legal action against researchers who act in good faith and stay within the bounds of responsible testing.

  • Do not access, alter, or retain other users' data
  • Do not intentionally degrade, disrupt, or overload service availability
  • Do not attempt social engineering, phishing, or physical attacks
  • Do not publicly disclose the issue before we have had reasonable time to review and address it

Responsible disclosure expectations

We ask researchers to minimize impact during testing, avoid data exfiltration beyond what is strictly necessary to demonstrate an issue, and give us a reasonable opportunity to investigate and resolve reported vulnerabilities before any public disclosure.

How PhotonFile approaches security

Ephemeral relay design

PhotonFile's relay pipeline is designed around live transfer, short-lived handling, and minimizing retained relay-layer data wherever possible.

Zero-knowledge vault model

Vault features are designed around client-side encryption and user-controlled access so server-side systems are not the source of plaintext vault contents.

Explicit user control

PhotonFile favors explicit controls over surprising side effects. That includes account security actions such as session revocation, which are intentionally exposed as clear, user-directed controls rather than silently bundled with unrelated actions.

Thanks for reporting responsibly

We appreciate researchers and users who take the time to report real issues responsibly. High-signal reports help us improve the product while preserving trust in a platform built around privacy and security.

Looking for more on how PhotonFile is built? Read the technology overview, review the privacy policy, or visit the FAQ.