Nearly one year ago we introduced the Nextcloud bug bounty program offering a significant monetary reward for reports of security vulnerabilities within Nextcloud. Security Bug Bounties are a ‘security best practice’ followed by large organizations like Microsoft, Uber, Github, Twitter and Slack which we’ve embraced. We’re proud to offer some of the highest bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities. We’re also proud of our 8 hour response time and quick bug fix turn-around! We thought that it is time to do a short recap on the progress of our program and invite more people to participate.
security is hard, and mistakes are just unavoidable
Reasons for the Nextcloud bug bounty program
Despite our good security track record and many innovative security hardenings added to Nextcloud over the years the reality is: security is hard, and mistakes are just unavoidable. The largest IT companies with big, well paid and experienced security teams run bug bounty programs for this very reason!
However, we can make it as hard as possible for an attacker. We do that first by having a strong process aimed at writing secure code, training our developers to take security in account and reviewing designs in advance and the code itself after it has been written. Second, we secure Nextcloud pro-actively by introducing security hardenings which decrease the likelihood of a successful exploitation. By performing internal testing, we get the confidence required for shipping. And last but not least external testing such as via our bug bounty program on HackerOne gives us another set of hundreds of eyes looking over our code and potentially discovering issues within our software.
Something that especially sparks our interests are reports involving a bypass of security hardenings. After a report of a security issue, we perform a root-cause analysis and try to aim to mitigate problems of this category completely in the future. A recent example was, for example, us hardening our shipped jQuery library in addition to fixing the reported vulnerability.
As you see, running a bug bounty program is something you should take seriously to get the most out of it. It does not replace internal security expertise but rather augments it, providing opportunities to fix whole classes of potential issues at once.
Reports in numbers
In the last year, we have had reports by 358 different white hat hackers reporting 676 issues to us, averaging around 1.8 reports per reporter. As you can see, most of these reports have been done right after we announced our bug bounty program which took some more internal coordination to handle. Nowadays, we get a steady stream of around 5-10 reports a week.
Of those 676 reports, we acted on 77 unique issues which have been reported by 83 different reporters. The other 599 issues were not considered a security risk or either duplicate of existing issues:
From these 77 reports, 18 qualified for monetary awards as they were within the Nextcloud software while the others targeted our infrastructure which we excluded from our bug bounty scope.
In total we spent $5,083 on bug bounties, resulting in an average bounty of $282.
Performance analysis
We are quite proud of our performance, our all time response time is eight hours and our all time resolution time is about one month.
Those numbers mean that after an issue got reported to us the reporter receives a feedback usually within 8 hours. In average the issue has also been fixed, reviewed, regression tested and finally shipped to Nextcloud users in about one month.
Success stories
The bug bounty program would not be so successful with the dozens of skillful hackers participating in it. We would like to give a special shout-out to those top 5 five reporters in our program:
@secator – $1,000
secator reported two security issues (NC-SA-2017-001 and NC-SA-2017-002) to us which may have allowed an attacker to bypass permission on shares such as writing to read-only shares.
Kumar reported a permission related issue to us which allowed writing to a read-only share (NC-SA-2016-004) as well as the fact that a share owner has no possibility to list all existing shares which we added as a new feature in Nextcloud 11.
Aliaksei Panamarenka – $500
Aliaksei reported a reflected XSS in the Nextcloud Gallery application including a bypass for our Content-Security-Policy. (NC-SA-2016-009)
Manuel reported a reflected XSS in the error pages caused by inadequate escaping of error messages. This vulnerability was mitigated by our Content-Security-Policy. (NC-SA-2017-008 and fully disclosed hackerone report)
Those five people are just a small sample of all the hackers that helped us until now. We would like to extend our sincere thanks to every single one! Thanks to all of you for making the internet a more secure place.
If you want to be featured in our next bug bounty program update head over to our bug bounty program on HackerOne and start submitting vulnerabilities. We look forward to your reports!
Organisations, small and large, need a way to ensure the resiliency and digital sovereignty of their operations – an open-source, privacy-respecting alternative to Teams. And today, we present that solution - Nextcloud Talk.
Nextcloud has been recognized with the World Summit Award Germany that selects and promotes local digital innovation improving society, aiming to contribute to the United Nations' agenda of sustainable development goals.
Nextcloud Hub 9 lets you stay connected. Discover new federation features, workflow automation, big design overhaul and much much more in your favourite open-source collaboration platform!
DIE ZEIT, a prominent German outlet, interviewed Nextcloud’s founder Frank Karlitschek for an article on Microsoft’s anti-competitive behaviour on the European office software market. Read for a recap of the article and the key takeaways.
MagentaCLOUD’s migration to Nextcloud in 2021 resulted in a fully equipped Online Storage with an integrated online office suite that further improves the user experience, flexibility and security for customers.
We bring you a major update to the Nextcloud AI Assistant, plus the news we work with several big hosting providers like IONOS and OVHcloud to bring AI-as-a-Service options to you!
Bechtle and Nextcloud announce today a complete managed collaboration platform for the public sector that requires no tender and can be deployed immediately.
Discover how to make the switch from ownCloud to Nextcloud. Our quick guide provides insights into the migration process, helping you make the transition smoothly.
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
In this article, we find out how open-source AI gets you your privacy back and explore examples of reliable AI models that you can use in your ecosystem.
On December 3rd, we invite you to the Nextcloud Enterprise Day Paris, Nextcloud's flagship event for professionals. The day will kick off with a keynote by our CEO and founder, Frank Karlitschek—a highlight where he will share our vision for the future of online collaboration, followed by a major announcement about Nextcloud Talk!
We save some cookies to count visitors and make the site easier to use. This doesn't leave our server and isn't to track you personally!
See our Privacy Policy for more information. Customize
Statistics cookies collect information anonymously and help us understand how our visitors use our website. We use cloud-hosted Matomo
Matomo
_pk_ses*: Counts the first visit of the user
_pk_id*: Helps not to double count the visits.
mtm_cookie_consent: Remembers that consent for storing and using cookies was given by the user.
_pk_ses*: 30 minutes
_pk_id*: 28 days
mtm_cookie_consent: 30 days