FileZilla Pro Enterprise Server (FZPES) does not currently hold SOC 2 certification, and our ISO 27001 certification is currently ongoing, in its final phases. Instead of asking you to take that on faith in the meantime, we publish what we do have: independent third-party audit results, an active bug bounty program, and a public record of how we’ve responded to past security issues — so you can evaluate our security posture directly rather than relying on a badge alone. That commitment carries forward: as we prepare a major new release, we’re bringing the same independent auditor back in ahead of it shipping.
Does FileZilla Pro Enterprise Server hold any formal security certifications?
Not yet in full. FZPES does not hold SOC 2 certification, and our ISO 27001 certification is currently ongoing, in its final phases — we’ll update this page once it’s complete. In the meantime, what we offer is transparency: audit reports, a public bug bounty profile, and documented response times for reported issues. If your organization requires a specific certification as part of procurement, contact us to discuss your requirements and timeline before purchasing.
Is FileZilla Pro Enterprise Server independently audited or penetration tested?
Yes. The FileZilla Server product line has undergone independent third-party security audits conducted by Subgraph, supported by the Open Technology Fund (OTF) — an initial audit in 2022 and a second, follow-up audit in 2025 covering the substantial amount of new code introduced since.
Is FileZilla preparing security for the upcoming FZPES release?
Yes. The next FZPES release introduces a WebUI for both end users and administrators, along with expanded backend storage support: connections to remote servers via reverse proxy — whether to expose an internal server across a DMZ, or to let internal users reach an external server across one — plus direct integration with cloud storage backends such as Amazon S3 and Google Cloud Storage. Each of these expands the product’s attack surface: a new web-facing interface, new proxy paths crossing network boundaries, and new cloud credential handling. Because of that, we’re re-engaging Subgraph — the same firm behind our 2022 and 2025 independent audits — to review the new release as part of its development.
Does FileZilla run a bug bounty program?
Yes. FileZilla operates a public bug bounty program on HackerOne, where independent security researchers can report vulnerabilities and receive recognition and rewards for verified findings.
How does FileZilla handle and disclose security vulnerabilities?
Reported vulnerabilities are verified, fixed, and disclosed through our HackerOne program page, which lists resolved reports along with severity and response information. This is the “response record” you can review yourself — we’d rather point you to the primary source than summarize it with numbers that can go out of date.
What built-in security features does FileZilla Pro Enterprise Server include?
FZPES ships with a set of security controls you configure directly on your own infrastructure:
- FTPS and SFTP with modern TLS/SSH cipher support
- Two-factor authentication (2FA) for user logins
- IP allow/deny filtering and brute-force protection against unauthorized access attempts
Note: audit logging and configuration are managed per server installation; FZPES does not currently provide centralized management of configuration or logs across multiple separate installations.
Where can I review FileZilla’s security record myself?
Three public sources, so you don’t have to take our word for it:
- Our HackerOne program page, showing the bug bounty program and resolved reports
- The OTF-backed independent audit summary for FileZilla Server
- Our blog post on the 2025 audit results
Have questions about how FZPES fits your organization’s security review process? See FileZilla Pro Enterprise Server or get in touch.