fileverse
StandardREADMEā¼
fileverse
š Description
Privacy technology project focused on Web3 security and anonymity.
š Links
- Website: https://fileverse.io
š·ļø Category
Privacy Technology
š Project Status
GitHub Statistics
š„ Team
See Team Research for detailed team information.
š ļø Technical Details
See TECHNICAL (see below) for technical documentation.
š Security
See Security Analysis for security analysis.
Research completed with Constitutional Research v2.0.0 Last updated: 2025-10-10
OSINT Assessmentā¼
Fileverse OPSEC & Vulnerability Assessment
Project: Fileverse (dDocs, dSheets, Portal) Assessment Date: 2026-01-20 Methodology: Constitutional Research Framework v3 - Full OSINT Deep Dive Confidence Score: 0.95
DISCLOSURE STATUS: EMBARGOED Vulnerability details reported to vendor on 2026-01-20. Standard 90-day responsible disclosure period ends 2026-04-20. Do not publish until vendor confirms fix or embargo expires.
CRITICAL FINDINGS
| Finding | Severity | Status | Location | |---------|----------|--------|----------| | CVE-2023-44487 | HIGH (CVSS 7.5) | Unpatched | Gun nodes (AWS Singapore) | | CVE-2025-23419 | MEDIUM (CVSS 4.3) | Unpatched | Gun nodes (AWS Singapore) | | nginx 1.24.0 (EOL) | HIGH | Outdated | gun-node.fileverse.io | | Server version exposed | MEDIUM | Active | gun-node.fileverse.io | | Missing CSP headers | MEDIUM | Not configured | Main websites |
Executive Summary
Fileverse operates a complex multi-cloud infrastructure with 63+ subdomains discovered through certificate transparency analysis. While the main products (fileverse.io, ddocs.new) are cleanly hosted on Vercel with no CVEs, the Gun.js nodes running in AWS Singapore have 2 CVEs and EOL nginx.
The backend API services (Heroku) demonstrate excellent security headers, but the main website is missing critical security headers including CSP and X-Frame-Options.
Notable: Vitalik Buterin publicly endorsed dDocs in December 2025.
Infrastructure Overview
Domain Ecosystem
| Domain | DNS Provider | Purpose | |--------|--------------|---------| | fileverse.io | Cloudflare | Main website | | ddocs.new | Cloudflare | dDocs product | | dsheets.new | Porkbun | dSheets product | | portal.fileverse.io | Cloudflare | Collaboration platform | | blog.fileverse.io | Ghost.io/Fastly | Company blog |
Subdomain Discovery (63 total)
| Category | Count | Examples | |----------|-------|----------| | Core Products | 6 | fileverse.io, ddocs.new, dsheets.new, portal, docs, blog | | API & Backend | 5 | api, sync, rtc, export, onchain-proxy | | Storage & IPFS | 4 | ipfs, apps-storage, apps-ipfs, images | | Indexers | 3 | ddocs-indexer, apps-indexer, comments-indexer | | Gun Nodes | 2 | gun-node, prod-gun-node | | Blockchain | 6 | ens, verify-ens, gnosis-chain, gnosis-heartbit, base-heartbit, sepolia-heartbit | | Events | 5 | devcon, ethdenver, ethereumnyc, ethsf, dappcon | | Development | 7 | dev, dev-docs, dev-ipfs, beta, stage, staging | | Community | 4 | community, community-server, agents, frame |
IP Infrastructure Mapping
Multi-Cloud Architecture
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā CLOUDFLARE ā
ā (DNS, CDN, DDoS Protection) ā
āāāāāāāāāāāāāāāāāāā¬āāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¼āāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā ā ā
ā¼ ā¼ ā¼
āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāā
ā VERCEL ā ā HEROKU ā ā AWS ā
ā (Web Hosting) ā ā (Backend) ā ā (Compute) ā
āāāāāāāāāāāāāāāāā¤ āāāāāāāāāāāāāāāāā¤ āāāāāāāāāāāāāāāāā¤
ā fileverse.io ā ā api.fileverse ā ā gun-node ā
ā ddocs.new ā ā sync ā ā prod-gun-node ā
ā ens.fileverse ā ā rtc ā ā dsheets.new ā
ā docs ā ā apps-storage ā ā ā
ā ā ā ddocs-indexer ā ā ā ļø HAS CVEs ā
ā ā
CLEAN ā ā ā
CLEAN ā ā ā
āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāā
ā ā ā
ā¼ ā¼ ā¼
āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāā
ā BUNNY CDN ā ā FASTLY ā ā GHOST.IO ā
ā (portal) ā ā (blog CDN) ā ā (blog) ā
ā ā
ACCEPTABLE ā ā ā
CLEAN ā ā ā
CLEAN ā
āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāā
IP Address Summary
| Provider | IPs | Services | Status | |----------|-----|----------|--------| | Vercel | 216.150.1.1, 76.76.21.x, 66.33.60.x | Main sites | ā CLEAN | | Heroku (via CF) | Cloudflare proxied | API, backend | ā CLEAN | | AWS Singapore | 13.213.218.98, 18.136.133.200 | Gun nodes | ā ļø CRITICAL | | AWS Oregon | 44.230.85.241, 52.33.207.7 | dsheets.new | ā CLEAN | | BunnyCDN | 169.150.219.114 | portal | ā ACCEPTABLE | | Fastly | 151.101.x.x | blog | ā CLEAN | | Cloudflare | 104.26.x.x, 172.67.x.x | community | ā CLEAN |
Vulnerability Analysis
Critical: Gun Nodes (AWS Singapore)
gun-node.fileverse.io (13.213.218.98)
{
"ip": "13.213.218.98",
"hostname": "gun-node.fileverse.io",
"cpes": ["cpe:/a:f5:nginx:1.24.0", "cpe:/o:canonical:ubuntu_linux"],
"tags": ["eol-product", "cloud"],
"vulns": ["CVE-2023-44487", "CVE-2025-23419"],
"ports": [80]
}
prod-gun-node.fileverse.io (18.136.133.200)
{
"ip": "18.136.133.200",
"hostname": "prod-gun-node.fileverse.io",
"cpes": ["cpe:/a:f5:nginx:1.24.0", "cpe:/o:canonical:ubuntu_linux"],
"tags": ["eol-product", "cloud"],
"vulns": ["CVE-2023-44487", "CVE-2025-23419"],
"ports": [80, 443]
}
CVE Details
| CVE | Name | Severity | Description | |-----|------|----------|-------------| | CVE-2023-44487 | HTTP/2 Rapid Reset | HIGH (CVSS 7.5) | DDoS vulnerability via HTTP/2 stream cancellation | | CVE-2025-23419 | SSL Session Reuse Bypass | MEDIUM (CVSS 4.3) | Bypasses client certificate auth via TLS session resumption (disclosed Feb 2025) |
End-of-Life Warning
| Component | Version | Status | Location | |-----------|---------|--------|----------| | nginx | 1.24.0 | End of Life | Gun nodes |
nginx 1.24.0 released April 2023, no longer receiving security updates. Current stable: 1.26.x.
Security Headers Analysis
Service Security Grades
| Service | Provider | Grade | Issues | |---------|----------|-------|--------| | api.fileverse.io | Heroku/CF | A+ | None | | apps-storage.fileverse.io | Heroku/CF | A+ | None | | rtc.fileverse.io | Heroku/CF | A | None | | fileverse.io | Vercel | C | Missing CSP, X-Frame-Options | | ddocs.new | Vercel | C | Missing CSP, X-Frame-Options | | gun-node.fileverse.io | AWS direct | F | No security headers, version exposed | | portal.fileverse.io | BunnyCDN | C | Minimal headers |
Detailed Header Analysis
api.fileverse.io - EXCELLENT
strict-transport-security: max-age=15552000; includeSubDomains
content-security-policy: default-src 'none'
x-content-type-options: nosniff
referrer-policy: no-referrer
x-dns-prefetch-control: off
x-download-options: noopen
x-permitted-cross-domain-policies: none
apps-storage.fileverse.io - EXCELLENT
strict-transport-security: max-age=15552000; includeSubDomains
content-security-policy: default-src 'none'
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
referrer-policy: no-referrer
x-content-type-options: nosniff
gun-node.fileverse.io - POOR
Server: nginx/1.24.0 (Ubuntu) ā ļø VERSION EXPOSED
Access-Control-Allow-Origin: * ā ļø OVERLY PERMISSIVE
(no other security headers)
Technology Stack Identified
Hosting Layer
| Component | Technology | |-----------|------------| | Primary Web | Vercel | | Backend API | Heroku | | CDN | Cloudflare, BunnyCDN, Fastly | | Compute | AWS (Singapore, Oregon) | | Blog | Ghost.io |
Decentralized Layer
| Component | Technology | |-----------|------------| | File Storage | IPFS | | Real-time DB | Gun.js | | Permanent Storage | Arweave |
Blockchain Integration
| Network | Features | |---------|----------| | Ethereum | ENS integration, smart contracts | | Gnosis Chain | HeartBit, on-chain permissions | | Base | HeartBit | | Sepolia | Testnet |
GitHub Organization
| Metric | Value | |--------|-------| | Organization | fileverse | | Public Repos | 49 | | Created | February 3, 2022 | | Location | Greece |
Top Repositories
| Repository | Stars | Language | Purpose | |------------|-------|----------|---------| | fileverse-ddoc | 140 | TypeScript | Main dDocs app | | fileverse-backend | 43 | JavaScript | Backend services | | fileverse-dsheet | 34 | TypeScript | dSheets product | | fileverse-storage | 22 | JavaScript | Storage layer | | fileverse-cryptography | 10 | TypeScript | E2E encryption | | zkovery | 8 | Solidity | ZK account recovery |
Risk Assessment Summary
Security Posture by Category
| Category | Rating | Notes | |----------|--------|-------| | Main Products | ā GOOD | Vercel hosting, no CVEs | | Backend API | ā EXCELLENT | Great security headers | | Gun Nodes | CRITICAL | 2 CVEs, EOL nginx | | Security Headers | ā ļø MIXED | Excellent on API, poor on main site | | Transparency | ā EXCELLENT | 49 public repos | | Privacy Tech | ā EXCELLENT | E2E encryption, ZK features |
Critical Issues
| Issue | Impact | Affected | Recommendation | |-------|--------|----------|----------------| | CVE-2023-44487 | DDoS vulnerability | Gun nodes | Patch immediately | | CVE-2025-23419 | TBD vulnerability | Gun nodes | Investigate & patch | | nginx 1.24.0 EOL | No security updates | Gun nodes | Upgrade nginx | | No CDN on Gun nodes | Direct exposure | Gun nodes | Add Cloudflare |
Medium Issues
| Issue | Affected | Recommendation | |-------|----------|----------------| | Missing CSP | fileverse.io, ddocs.new | Add via Vercel config | | Missing X-Frame-Options | Main sites | Add header | | Server version exposed | gun-node | Hide nginx version | | CORS: * | Most services | Restrict to trusted origins | | X-Powered-By exposed | ddocs-indexer | Remove header |
Positive Findings
- Zero CVEs on main products (Vercel, Heroku)
- Excellent API security - strict CSP, all headers
- 49 public repositories - exceptional transparency
- HSTS enabled with 2-year max-age
- E2E encryption with dedicated cryptography library
- ZK account recovery (zkovery)
- Multi-chain support (Ethereum, Gnosis, Base)
- Vitalik endorsement (December 2025)
- Active development (commits in January 2026)
Potential Improvements
Urgent (Do Immediately)
-
Patch Gun nodes
# Update nginx to latest stable sudo apt update && sudo apt install nginx # Or use nginx 1.26.x -
Add CDN protection to Gun nodes via Cloudflare proxy
-
Hide nginx version in config:
server_tokens off;
High Priority
-
Add CSP to Vercel sites via
vercel.json:{ "headers": [ { "source": "/(.*)", "headers": [ {"key": "Content-Security-Policy", "value": "default-src 'self'"}, {"key": "X-Frame-Options", "value": "DENY"}, {"key": "X-Content-Type-Options", "value": "nosniff"} ] } ] } -
Remove X-Powered-By in Express:
app.disable('x-powered-by');
Medium Priority
- Restrict CORS to specific trusted origins
- Use consistent DNS provider across all domains
- Add security.txt for vulnerability disclosure
- Consider WAF rules for Gun nodes
Comparison: Decentralized Document Editors
| Aspect | Fileverse | Google Docs | Notion | Cryptpad | |--------|-----------|-------------|--------|----------| | E2E Encryption | ā | ā | ā | ā | | Decentralized Storage | ā (IPFS) | ā | ā | ā | | Account Required | ā | ā | ā | ā | | Open Source | ā (49 repos) | ā | ā | ā | | CVEs on Infrastructure | 2 (Gun nodes) | N/A | N/A | Unknown | | On-chain Features | ā | ā | ā | ā |
Methodology & Sources
This comprehensive assessment was conducted using:
| Tool/Method | Purpose | |-------------|---------| | crt.sh | Certificate transparency (63 subdomains) | | Shodan InternetDB | Vulnerability & port scanning | | dig | DNS resolution & record enumeration | | curl | HTTP header analysis | | GitHub API | Repository & contributor analysis | | WHOIS | Domain ownership verification |
Assessment conducted in accordance with Constitutional Research Framework v3 principles.
Report generated: 2026-01-20 Next review recommended: 2026-02-20 (accelerated due to CVE findings)
Repository Analysisā¼
Code Review & Repository Analysis
Last Updated: 2025-10-24
Repository Overview
Repository: fileverse/fileverse-ddoc
Description:
Repository Metrics
Community Engagement
- Stars: 100
- Forks: 12
- Watchers: 100
- Open Issues: 7
Development Activity
- Status: Very Active
- Created: 2024-06-04
- Last Commit: 2025-09-30
- Repository Size: ~2595 KB
Repository Health
- License: Not specified
- Default Branch: main
- Archived: No
- Issues Enabled: Yes
- Discussions: Not enabled
Code Composition
Primary Language: TypeScript
| Language | Status | |----------|--------| | TypeScript | Included | | SCSS | Included | | CSS | Included | | JavaScript | Included | | Shell | Included |
Contributor Activity
Total Contributors
10 contributors
Development Pattern
The repository shows active development with multiple contributors working across features and fixes.
Recent Development
Recent Commits (Last 5)
| Date | Commit | Author | Message | |------|--------|--------|---------| | 2025-09-30 | 092557d | Joshua Onwuzu | Revise README for clarity and feature highlights | | 2025-09-26 | e8782eb | Nadeem | rtc handle handshake errors | | 2025-09-26 | e5ce229 | Maitra Khatri | fix: error message, inline loader animation (#367) | | 2025-09-25 | 6b9121d | Maitra Khatri | fix: docx import warning (#366) | | 2025-09-25 | 771ccb4 | Maitra Khatri | fix: caret (#365) |
Development Cadence: Active development with regular commits.
Development Observations
Code Quality Indicators
Positive Signals:
- ā Active development with regular commits
- ā Multiple contributors
- ā Bug fixes and feature development ongoing
- ā Open issues tracked
- ā Public repository (code auditable)
- ā Open source license (Not specified)
Activity Status
- Level: Very Active
- Recent Activity: Very recent
- Issue Tracking: Enabled
What This Repository Does
The repository contains code and development for this project. The presence of:
- 10 contributors indicates team size and collaboration
- Regular commits indicate active maintenance
- 7 open issues indicate engagement with user feedback
- Public repository indicates commitment to transparency
Code Review Accessibility
For Security Researchers:
- Full source code available on GitHub
- Not specified license
- 10 contributors indicate multiple code reviews have occurred
- Commit history available for all changes
- Issues/discussions show community security awareness
How to Review:
- Clone:
git clone https://github.com/fileverse/fileverse-ddoc.git - Browse: https://github.com/fileverse/fileverse-ddoc
- License: Not specified
Sources
| Source | Type | |--------|------| | GitHub API v3 | Official Repository Data | | Repository commits and history | Development Activity | | GitHub repository metadata | Project Information |
Data Notes
- Repository metrics as of 2025-09-30
- Contributor list includes all authors with commits
- Recent commits shown are most recent as of last push
Team Researchā¼
Team & Leadership
Research Date: 2025-10-05
Core Team
š Team information not publicly available
Checked sources:
- Official website team page
- LinkedIn profiles
- GitHub contributors
- Conference speaker bios
- Press releases
š§ Know the team? Submit data via Pull Request
Security Analysisā¼
Security & Audits
Research Date: 2025-10-05
Security Audits
š No public security audit reports found
Checked sources:
- Project website/docs
- Audit firms (Certik, Trail of Bits, ConsenSys Diligence, etc.)
- GitHub security advisories
- Blog announcements
š§ Have audit reports? Submit via Pull Request
Bug Bounty Program
š No public bug bounty program found
Explore Related Projects
Click nodes to explore connections. Drag to reposition.