Hivenet is committed to protecting user data and keeping our infrastructure secure. We welcome help from the security research community in identifying and responsibly disclosing vulnerabilities in Hivenet products and services.
Last update:
June 8, 2026
Hivenet provides cloud storage, file sharing, and compute services to individuals and businesses. Trust in those services depends on a security posture that is continuously tested, reviewed, and improved.
The Hivenet bug bounty program encourages good-faith security research in our products and services. We believe responsible collaboration with skilled researchers helps protect Hivenet users, Hivenet infrastructure, and the wider internet. We are committed to rewarding researchers who help us identify vulnerabilities before malicious actors do.
Program notice
This is a privately managed bug bounty program. All submissions, triage, and reward decisions are handled directly by the Hivenet Security team. By submitting a report, you agree to the terms outlined on this page. The program is managed by HIVE COMPUTING SERVICES SA, operating publicly under the Hivenet brand.
Only vulnerabilities affecting the assets explicitly listed below are eligible for a bounty reward. Submissions targeting assets outside this list are not eligible by default. Hivenet may, at its sole discretion, consider otherwise out-of-scope findings on an exceptional basis.
Asset
Type
Platform or URL
Status
Hivenet iOS app
Mobile application for Store
In scope
Hivenet Android app
Mobile application for Store
In scope
Hivenet macOS app
Desktop application for Store
In scope
Hivenet web app
Web application for Store
In scope
Compute console
Web application for Compute
In scope
Out-of-scope assets and vulnerability types
The following are explicitly excluded from this program. Submissions involving these assets or findings will be closed without reward:
We will consider any design or implementation issue that substantially affects the confidentiality, integrity, or availability of user data or Hivenet infrastructure. This includes, but is not limited to:
Web applications
Desktop and mobile apps
Infrastructure and APIs
Cryptography and data
Rewards are paid in USD via bank transfer or another mutually agreed method. The severity of a finding, and therefore its reward, is determined by the Hivenet Security team using the CVSS 3.1 or CVSS 4.0 scoring framework. All severity classifications are final and at Hivenet’s sole discretion.
Severity
Reward
Criteria
Critical
$1,000
CVSS score of 9.0 or higher. Full compromise of user data, sustained unauthorized control of infrastructure, or complete tenant isolation bypass without special conditions.
High
$500
CVSS score of 7.0 to 8.9. Significant breach of data confidentiality or integrity affecting a broad group of users, without requiring special conditions or prior access.
Medium
$250
CVSS score of 4.0 to 6.9. Unauthorized access to part of the environment, or user-data compromise affecting a single user with significant interaction required.
Low
$100
CVSS score of 0.1 to 3.9. Limited impact or unlikely exploitation conditions. The finding must still have a demonstrable path to impact to qualify.
Reward conditions
Rewards are only disbursed after the Hivenet Security team has validated the vulnerability and confirmed the CVSS score. Duplicate submissions, out-of-scope findings, and reports without sufficient reproduction steps are not eligible. Hivenet reserves the right to adjust reward amounts based on impact, novelty, report quality, and exploitation complexity.
All submissions must include a valid CVSS 3.1 or CVSS 4.0 vector string alongside the proposed severity rating. The Hivenet Security team will validate the vector and may adjust it, which may affect the reward tier. Submissions without a CVSS vector will not be processed.
Use the official CVSS calculators to generate your vector:
NVD CVSS Calculator from NIST.
Example CVSS 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Score: 10.0, critical. Network-accessible, low complexity, no privileges, no user interaction, scope changed, and full confidentiality, integrity, and availability impact.
Example CVSS 4.0 vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Score: 10.0, critical. Network-accessible, high system impact with high subsequent system impact.
Send all vulnerability reports by email to bugbounty@hivenet.com. Send one vulnerability per email so we can triage reports efficiently. Each report must include the fields below.
Field
Required
What to include
Subject
Yes
[BUG BOUNTY] <Brief vulnerability title>
Vulnerability title
Yes
A concise, descriptive name for the vulnerability.
Description
Yes
Full description of the vulnerability, including the affected component, root cause, and potential impact on Hivenet users or infrastructure.
Severity
Yes
Critical, high, medium, or low, with justification.
CVSS vector
Yes
CVSS:3.1/AV:… or CVSS:4.0/AV:…, with computed score.
Steps to reproduce
Yes
Clear reproduction steps. Include screenshots, screen recordings, or a proof-of-concept script where applicable.
Remediation recommendation
No
Your suggested fix or mitigation strategy. This is not required, but high-quality remediation guidance is appreciated and may positively influence reward assessment.
Your contact info
No
Name or handle, plus your preferred contact email for follow-up.
Tips for a strong report
The clearer and more reproducible your report is, the faster we can validate it. Attach proof-of-concept scripts, screenshots, or screen recordings. Reference specific lines of code or API endpoints where possible. Reports that allow us to reproduce the issue on first read receive priority attention.
Do not publicly disclose suspected vulnerabilities
Do not share details of a suspected vulnerability publicly, on social media, or with third parties until Hivenet has confirmed the finding and both parties have agreed on a disclosure timeline. Early public disclosure may disqualify the submission from reward eligibility.
After you submit a report, our process is as follows:
To be eligible for a reward under this program, you must meet all of the following conditions:
Testing guidance
Always test against your own accounts. Never attempt to access, read, modify, or delete data belonging to other users. If you inadvertently access user data or cause unintended service impact, stop immediately and disclose it in your report. We appreciate honesty and will assess the situation in good faith.
Hivenet supports good-faith security research into our products. For activity conducted in good faith and in line with this bug bounty and responsible disclosure program, Hivenet will not threaten or bring legal action against you. If you accidentally exceed this policy while acting in good faith, stop testing immediately, avoid further access, preserve only the information needed to report the issue, and tell us what happened in your report. We will take your good-faith cooperation into account when assessing the situation.
As long as you comply with the terms of this program:
Safe harbor applies only where disclosures are unconditional and do not involve extortion, threats, or demands for payment as a condition of disclosure. If you are unsure whether a specific research activity is consistent with this policy, contact us at bugbounty@hivenet.com before proceeding.
Many Hivenet systems interact with third-party infrastructure. While we authorize research on our own systems, we cannot authorize research on third-party products. If a third party takes or threatens legal action against you for research conducted on our in-scope systems in good faith, we will make our authorization of your research known.
When you submit a good-faith report to the Hivenet bug bounty program, you can expect the following from us:
For questions about whether a specific research activity is covered by this policy, or for any other program-related inquiry, contact us before you begin testing. We can clarify ambiguities and provide guidance.
Found a vulnerability?
Send your full report to the Hivenet Security team at bugbounty@hivenet.com. Include all required fields for faster processing.
Encrypted communication
If you want to submit your report using PGP encryption, contact us first at bugbounty@hivenet.com to request our public key. Encrypted submissions are welcome and encouraged for critical or high-severity findings.
Policy changes
Hivenet reserves the right to update or modify this policy at any time. Changes will be reflected on this page with an updated “Last updated” date. Vulnerabilities reported before a policy update remain subject to the terms in effect at the time of submission.