Nearly one year ago we introduced the Nextcloud bug bounty program offering a significant monetary reward for reports of security vulnerabilities within Nextcloud. Security Bug Bounties are a ‘security best practice’ followed by large organizations like Microsoft, Uber, Github, Twitter and Slack which we’ve embraced. We’re proud to offer some of the highest bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities. We’re also proud of our 8 hour response time and quick bug fix turn-around! We thought that it is time to do a short recap on the progress of our program and invite more people to participate.
security is hard, and mistakes are just unavoidable
Reasons for the Nextcloud bug bounty program
Despite our good security track record and many innovative security hardenings added to Nextcloud over the years the reality is: security is hard, and mistakes are just unavoidable. The largest IT companies with big, well paid and experienced security teams run bug bounty programs for this very reason!
However, we can make it as hard as possible for an attacker. We do that first by having a strong process aimed at writing secure code, training our developers to take security in account and reviewing designs in advance and the code itself after it has been written. Second, we secure Nextcloud pro-actively by introducing security hardenings which decrease the likelihood of a successful exploitation. By performing internal testing, we get the confidence required for shipping. And last but not least external testing such as via our bug bounty program on HackerOne gives us another set of hundreds of eyes looking over our code and potentially discovering issues within our software.
Something that especially sparks our interests are reports involving a bypass of security hardenings. After a report of a security issue, we perform a root-cause analysis and try to aim to mitigate problems of this category completely in the future. A recent example was, for example, us hardening our shipped jQuery library in addition to fixing the reported vulnerability.
As you see, running a bug bounty program is something you should take seriously to get the most out of it. It does not replace internal security expertise but rather augments it, providing opportunities to fix whole classes of potential issues at once.
Reports in numbers
In the last year, we have had reports by 358 different white hat hackers reporting 676 issues to us, averaging around 1.8 reports per reporter. As you can see, most of these reports have been done right after we announced our bug bounty program which took some more internal coordination to handle. Nowadays, we get a steady stream of around 5-10 reports a week.
Of those 676 reports, we acted on 77 unique issues which have been reported by 83 different reporters. The other 599 issues were not considered a security risk or either duplicate of existing issues:
From these 77 reports, 18 qualified for monetary awards as they were within the Nextcloud software while the others targeted our infrastructure which we excluded from our bug bounty scope.
In total we spent $5,083 on bug bounties, resulting in an average bounty of $282.
Performance analysis
We are quite proud of our performance, our all time response time is eight hours and our all time resolution time is about one month.
Those numbers mean that after an issue got reported to us the reporter receives a feedback usually within 8 hours. In average the issue has also been fixed, reviewed, regression tested and finally shipped to Nextcloud users in about one month.
Success stories
The bug bounty program would not be so successful with the dozens of skillful hackers participating in it. We would like to give a special shout-out to those top 5 five reporters in our program:
@secator – $1,000
secator reported two security issues (NC-SA-2017-001 and NC-SA-2017-002) to us which may have allowed an attacker to bypass permission on shares such as writing to read-only shares.
Kumar reported a permission related issue to us which allowed writing to a read-only share (NC-SA-2016-004) as well as the fact that a share owner has no possibility to list all existing shares which we added as a new feature in Nextcloud 11.
Aliaksei Panamarenka – $500
Aliaksei reported a reflected XSS in the Nextcloud Gallery application including a bypass for our Content-Security-Policy. (NC-SA-2016-009)
Manuel reported a reflected XSS in the error pages caused by inadequate escaping of error messages. This vulnerability was mitigated by our Content-Security-Policy. (NC-SA-2017-008 and fully disclosed hackerone report)
Those five people are just a small sample of all the hackers that helped us until now. We would like to extend our sincere thanks to every single one! Thanks to all of you for making the internet a more secure place.
If you want to be featured in our next bug bounty program update head over to our bug bounty program on HackerOne and start submitting vulnerabilities. We look forward to your reports!
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
The serious security flaws in ownCloud (now owned by Kiteworks) do NOT affect Nextcloud. We have strict security processes in place, and do not ship test data from libraries that can cause security breaches.
We save some cookies to count visitors and make the site easier to use. This doesn't leave our server and isn't to track you personally!
See our Privacy Policy for more information. Customize