⚠️ This post links to an external website. ⚠️
Update: This post received a large amount of attention on Hacker News — see the discussion thread.
Update #2: These things happen to every big company routinely but often the person finding the vulnerability is paid and signs an NDA. Filevine allowed me to disclose this vulnerability and it should not become weaponized against them – that just drives companies to hide vulnerabilities instead of being transparent about them.
Timeline & Responsible Disclosure
Initial Contact: Upon discovering this vulnerability on October 27, 2025, I immediately reached out to Filevine’s security team via email.
November 4, 2025: Filevine’s security team thanked me for the writeup and confirmed they would review the vulnerability and fix it quickly.
November 20, 2025: I followed up to confirm the patch was in place from my end, and informed them of my intention to write a technical blog post.
November 21, 2025: Filevine confirmed the issue was resolved and thanked me for responsibly reporting it.
Publication: December 3, 2025.
The Filevine team was responsive, professional, and took the findings seriously throughout the disclosure process. They acknowledged the severity, worked to remediate the issues, allowed responsible disclosure, and maintained clear communication. Following conversations I’ve had with the Filevine team, it is clear that this incident is only related to a single law firm, no other Filevine clients were impacted – this was a non-production instance and this was not a system-wide Filevine issue. Filevine was appreciative of my efforts to find and alert them to this issue. This is another great example of how organizations should handle security disclosures.
continue reading on alexschapiro.com
If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe use the RSS feed.