Today we are happy to announce the Nextcloud bug bounty program. We offer some of the highest bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities!
We have partnered with the HackerOne platform because of its extraordinary popularity among IT security professionals. More than 3,000 hackers have reported over 24,000 bugs via the platform. Running a program on HackerOne allows us to quickly leverage the collective knowledge of a huge amount of these security experts.
“We are thrilled to welcome Nextcloud to the HackerOne community and have the opportunity to again work with Lukas Reschke”, said Marten Mickos, CEO of HackerOne. “Reschke’s experience with open source and running competitive bug bounty programs at scale is sure to benefit Nextcloud security and its customers.”
While we do perform internal research and add pro-active security hardenings all the time (a prominent example being the introduction of same-site cookies) we are always looking for external input as well. Few limitations and exclusions as well as some of the highest rewards in the open source world for responsible disclosure will serve to attract the kind of professional expertise needed to turn this into a success.
We’re confident in our code base and our work and with this project we will bring the Nextcloud security to an even higher level.
Impact
Definition
Maximum possible reward
Critical
Gaining remote code execution on the server as unauthenticated user. (i.e. RCE)
$5,000
High
Gaining access to complete user data of any other user. (i.e. Auth Bypass)
$2,000
Medium
Limited disclosure of user data or attacks granting access to a single users’ user session. (i.e. XSS)
$750
Low
Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.
$250
Note that our websites (nextcloud.com and nextcloud.org) are NOT part of the program, only the software you can find on our install page.
Nextcloud Enterprise Day is soon here and we have an amazing lineup of speakers providing insightful talks! One of those speakers is George Imrie from Nextcloud customer T-Systems – Deutsche Telekom’s business-customer IT affiliate. T-Systems is a digital transformation specialist, with operations in 20 countries worldwide.In preparation for their talk at the Nextcloud Enteprise Day […]
Last week, Nextcoud CEO Frank Karlitschek appeared on one of Germany’s biggest public service TV broadcaster’s: ZDF. Watch the news item by ZDF here. Interviewed in Nextcloud’s Berlin office, Frank explains the challenge the company faces up against big tech giants like Google and Microsoft. “That’s all very difficult for us, due to the fact […]
Nextcloud Enterprise Day is soon here and we have an amazing lineup of speakers providing insightful talks! One of those speakers is Mr. Birkner from the State Institute for School Quality and Teacher Training in Saxony-Anhalt (LISA) in Germany. In preparation for his talk at the Nextcloud Enteprise Day on June 13th, we asked him […]