Bug bounty and responsible disclosure

Hivenet is committed to protecting user data and keeping our infrastructure secure. We welcome help from the security research community in identifying and responsibly disclosing vulnerabilities in Hivenet products and services.

Last update:

June 8, 2026

Introduction

Hivenet provides cloud storage, file sharing, and compute services to individuals and businesses. Trust in those services depends on a security posture that is continuously tested, reviewed, and improved.

The Hivenet bug bounty program encourages good-faith security research in our products and services. We believe responsible collaboration with skilled researchers helps protect Hivenet users, Hivenet infrastructure, and the wider internet. We are committed to rewarding researchers who help us identify vulnerabilities before malicious actors do.

Program notice

This is a privately managed bug bounty program. All submissions, triage, and reward decisions are handled directly by the Hivenet Security team. By submitting a report, you agree to the terms outlined on this page. The program is managed by HIVE COMPUTING SERVICES SA, operating publicly under the Hivenet brand.

Program scope

Only vulnerabilities affecting the assets explicitly listed below are eligible for a bounty reward. Submissions targeting assets outside this list are not eligible by default. Hivenet may, at its sole discretion, consider otherwise out-of-scope findings on an exceptional basis.

Asset

Type

Platform or URL

Status

Hivenet iOS app

Mobile application for Store

Apple App Store

In scope

Hivenet Android app

Mobile application for Store

Google Play Store

In scope

Hivenet macOS app

Desktop application for Store

macOS download

In scope

Hivenet web app

Web application for Store

app.hivenet.com

In scope

Compute console

Web application for Compute

console.hivecompute.ai

In scope

Swipe left to see more

Out-of-scope assets and vulnerability types

The following are explicitly excluded from this program. Submissions involving these assets or findings will be closed without reward:

  • Any asset, domain, subdomain, or service not explicitly listed in the in-scope table above, including Send, GPT or private AI services, marketing websites, support tools, and staging environments unless Hivenet confirms otherwise before testing.
  • Third-party libraries, SDKs, or services integrated into our products where the vulnerability originates upstream.
  • Physical attacks, social engineering, phishing, or vishing against Hivenet employees or contractors.
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks.
  • Rate limiting or brute-force issues on unauthenticated endpoints without a concrete exploitable impact.
  • Clickjacking on pages that do not perform sensitive actions.
  • Missing HTTP security headers, including X-Frame-Options, Content-Security-Policy, and similar defensive headers, without a working proof of concept that demonstrates concrete and exploitable impact.
  • SSL/TLS configuration best-practice issues without a working proof of concept.
  • Theoretical vulnerabilities or best-practice recommendations with no demonstrated path to exploitation.
  • Vulnerabilities already known to, or actively being addressed by, the Hivenet Security team.
  • Automated scanner output without manual validation and demonstrable impact.
  • Self-XSS that requires the victim to execute malicious input themselves.
  • Account takeover via credential stuffing or password spraying against accounts you do not own.
  • Findings derived from compromised credentials obtained outside the scope of this program.

Qualifying vulnerabilities

We will consider any design or implementation issue that substantially affects the confidentiality, integrity, or availability of user data or Hivenet infrastructure. This includes, but is not limited to:

Web applications

  • Cross-site scripting (XSS).
  • Cross-site request forgery (CSRF).
  • SQL or NoSQL injection.
  • Authentication and authorization flaws.
  • Server-side request forgery (SSRF).
  • Server-side code execution.
  • REST or GraphQL API vulnerabilities.
  • Insecure direct object references (IDOR).
  • Privilege escalation.

Desktop and mobile apps

  • Remote code execution.
  • Local data or credential leakage.
  • Keychain or secure storage bypass.
  • Insecure update or code-signing mechanisms.
  • Authentication and authorization weaknesses.
  • Local privilege escalation.
  • Unprotected sensitive app components.
  • Improper certificate validation, including man-in-the-middle exposure.

Infrastructure and APIs

  • Container escape in Kubernetes or Docker environments.
  • Privilege escalation on compute nodes.
  • Unauthorized API access.
  • Unauthorized shell access.
  • Tenant isolation bypass for cloud storage.
  • Secrets or credentials exposed in responses.

Cryptography and data

  • Weak or broken encryption implementations.
  • Encryption key material exposure.
  • Decryption oracle attacks.
  • Sensitive data exposure in transit or at rest.
  • Insecure random number generation.

Reward structure

Rewards are paid in USD via bank transfer or another mutually agreed method. The severity of a finding, and therefore its reward, is determined by the Hivenet Security team using the CVSS 3.1 or CVSS 4.0 scoring framework. All severity classifications are final and at Hivenet’s sole discretion.

Severity

Reward

Criteria

Critical

$1,000

CVSS score of 9.0 or higher. Full compromise of user data, sustained unauthorized control of infrastructure, or complete tenant isolation bypass without special conditions.

High

$500

CVSS score of 7.0 to 8.9. Significant breach of data confidentiality or integrity affecting a broad group of users, without requiring special conditions or prior access.

Medium

$250

CVSS score of 4.0 to 6.9. Unauthorized access to part of the environment, or user-data compromise affecting a single user with significant interaction required.

Low

$100

CVSS score of 0.1 to 3.9. Limited impact or unlikely exploitation conditions. The finding must still have a demonstrable path to impact to qualify.

Swipe left to see more

Reward conditions

Rewards are only disbursed after the Hivenet Security team has validated the vulnerability and confirmed the CVSS score. Duplicate submissions, out-of-scope findings, and reports without sufficient reproduction steps are not eligible. Hivenet reserves the right to adjust reward amounts based on impact, novelty, report quality, and exploitation complexity.

CVSS scoring requirement

All submissions must include a valid CVSS 3.1 or CVSS 4.0 vector string alongside the proposed severity rating. The Hivenet Security team will validate the vector and may adjust it, which may affect the reward tier. Submissions without a CVSS vector will not be processed.

Use the official CVSS calculators to generate your vector:

FIRST CVSS 3.1 Calculator.

FIRST CVSS 4.0 Calculator.

NVD CVSS Calculator from NIST.

Example CVSS 3.1 vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Score: 10.0, critical. Network-accessible, low complexity, no privileges, no user interaction, scope changed, and full confidentiality, integrity, and availability impact.

Example CVSS 4.0 vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Score: 10.0, critical. Network-accessible, high system impact with high subsequent system impact.

How to submit a report

Send all vulnerability reports by email to bugbounty@hivenet.com. Send one vulnerability per email so we can triage reports efficiently. Each report must include the fields below.

Field

Required

What to include

Subject

Yes

[BUG BOUNTY] <Brief vulnerability title>

Vulnerability title

Yes

A concise, descriptive name for the vulnerability.

Description

Yes

Full description of the vulnerability, including the affected component, root cause, and potential impact on Hivenet users or infrastructure.

Severity

Yes

Critical, high, medium, or low, with justification.

CVSS vector

Yes

CVSS:3.1/AV:… or CVSS:4.0/AV:…, with computed score.

Steps to reproduce

Yes

Clear reproduction steps. Include screenshots, screen recordings, or a proof-of-concept script where applicable.

Remediation recommendation

No

Your suggested fix or mitigation strategy. This is not required, but high-quality remediation guidance is appreciated and may positively influence reward assessment.

Your contact info

No

Name or handle, plus your preferred contact email for follow-up.

Swipe left to see more

Tips for a strong report

The clearer and more reproducible your report is, the faster we can validate it. Attach proof-of-concept scripts, screenshots, or screen recordings. Reference specific lines of code or API endpoints where possible. Reports that allow us to reproduce the issue on first read receive priority attention.

Do not publicly disclose suspected vulnerabilities

Do not share details of a suspected vulnerability publicly, on social media, or with third parties until Hivenet has confirmed the finding and both parties have agreed on a disclosure timeline. Early public disclosure may disqualify the submission from reward eligibility.

Disclosure process

After you submit a report, our process is as follows:

  1. Acknowledgment within 5 business days
    • We will confirm receipt of your submission and assign it an internal tracking ID. If we need clarification, we will contact you during this period.
  2. Triage and validation within 15 business days
    • The Hivenet Security team will reproduce the issue, validate your CVSS vector, and determine whether the finding qualifies under the program. You will receive a status update.
  3. Severity confirmation
    • We will confirm or adjust the severity and CVSS score. If our assessment differs from yours, we will explain our reasoning. Our determination is final.
  4. Remediation
    • Our engineering team will work to fix the vulnerability. We will keep you informed of progress.
  5. Reward payment
    • Once the fix is confirmed, we will process your reward and contact you to arrange payment. With your permission, we may also credit you publicly in our security acknowledgments.

Eligibility requirements

To be eligible for a reward under this program, you must meet all of the following conditions:

  • The vulnerability must be original and previously unreported. Duplicate submissions for the same vulnerability will not be rewarded. If two researchers report the same issue independently within 72 hours, the reward will be split equally.
  • You must not be a Hivenet employee or contractor, and you must not have a current business relationship with Hivenet or any Hivenet subsidiary or affiliate.
  • You must be old enough to participate in and receive payment from a program of this nature in your jurisdiction, or otherwise have the appropriate consent.
  • You must not be listed on any applicable government sanctions list, including OFAC’s SDN list, and must not reside in a jurisdiction subject to applicable sanctions.
  • You must not have exploited the vulnerability for personal gain or to access, modify, or exfiltrate user data beyond what is strictly necessary to demonstrate the issue.
  • You must have used only your own accounts or test accounts during testing. You must not access, modify, or store any real user data.
  • You must have avoided disrupting availability of our services, including refraining from aggressive scans or automated attacks against production systems.
  • You must not make threats or attempt to extort Hivenet. Any such behavior will immediately disqualify the submission and may be reported to law enforcement

Testing guidance

Always test against your own accounts. Never attempt to access, read, modify, or delete data belonging to other users. If you inadvertently access user data or cause unintended service impact, stop immediately and disclose it in your report. We appreciate honesty and will assess the situation in good faith.

Safe harbor

Hivenet supports good-faith security research into our products. For activity conducted in good faith and in line with this bug bounty and responsible disclosure program, Hivenet will not threaten or bring legal action against you. If you accidentally exceed this policy while acting in good faith, stop testing immediately, avoid further access, preserve only the information needed to report the issue, and tell us what happened in your report. We will take your good-faith cooperation into account when assessing the situation.

As long as you comply with the terms of this program:

  • We consider your security research to be authorized under applicable computer fraud, computer misuse, or abuse laws with respect to in-scope systems.
  • We waive restrictions in our Terms of Service or similar platform rules that would otherwise prohibit your participation in this program, for the limited purpose of security research conducted under this policy.
  • We will not pursue legal action against you for circumventing technological protection measures solely in connection with good-faith security research on in-scope systems.

Safe harbor applies only where disclosures are unconditional and do not involve extortion, threats, or demands for payment as a condition of disclosure. If you are unsure whether a specific research activity is consistent with this policy, contact us at bugbounty@hivenet.com before proceeding.

Many Hivenet systems interact with third-party infrastructure. While we authorize research on our own systems, we cannot authorize research on third-party products. If a third party takes or threatens legal action against you for research conducted on our in-scope systems in good faith, we will make our authorization of your research known.

Our commitments to you

When you submit a good-faith report to the Hivenet bug bounty program, you can expect the following from us:

  • Acknowledgment within 5 business days of receiving your report.
  • Confidentiality: we will protect your name and contact information and will not disclose them without your consent, unless required by law.
  • Transparency: we will keep you informed of the status of your submission throughout triage, validation, and remediation.
  • Fair adjudication: every qualifying submission will be evaluated on its merits by the Hivenet Security team, applying the CVSS framework consistently.
  • Timely remediation: we commit to best-effort resolution of critical and high-severity vulnerabilities within 30 days, and medium and low-severity vulnerabilities within 90 days.
  • Recognition: with your permission, we will credit your name or handle in our security acknowledgments when a fix is publicly released.
  • Coordinated disclosure: we support your right to publish your findings and will work with you to agree on a disclosure timeline, targeting public disclosure within 90 days of confirmed receipt.
  • No retaliation: we will not pursue legal action against researchers acting in good faith under this policy.

Contact and questions

For questions about whether a specific research activity is covered by this policy, or for any other program-related inquiry, contact us before you begin testing. We can clarify ambiguities and provide guidance.

Found a vulnerability?

Send your full report to the Hivenet Security team at bugbounty@hivenet.com. Include all required fields for faster processing.

Encrypted communication

If you want to submit your report using PGP encryption, contact us first at bugbounty@hivenet.com to request our public key. Encrypted submissions are welcome and encouraged for critical or high-severity findings.

Policy changes

Hivenet reserves the right to update or modify this policy at any time. Changes will be reflected on this page with an updated “Last updated” date. Vulnerabilities reported before a policy update remain subject to the terms in effect at the time of submission.

Shader gradient background