Nextcloud Conference News: Nextcloud GmbH doubling HackerOne security bug bounties!

Just before the Nextcloud Conference in Berlin, Nextcloud GmbH has decided to double the security bug bounty, going up to USD 10.000 for a remote execution vulnerability! We will talk more about this tomorrow during the conference, but for now read on for details.

Nextcloud: a secure collaboration platform

Nextcloud lets users access and collaborate on documents, calendars and in video chats in the browser or through mobile apps. Over 200 apps extend Nextcloud functionality with features like playing music and movies, tracking your phone, reading news, mind mapping and more. It is by far the most popular private cloud software, 100% open source, developed by a community and used by millions of home users as well as organizations like Siemens, the German Federal Government and many more. For Nextcloud, security is key: the need for data protection and privacy that drives most of its users to the platform relies on being able to trust the project’s effort in keeping data safe. For this reason, Nextcloud runs a security bug bounty program since its inception in 2016 and with great success.

In this blog, Nextcloud GmbH announces we’ve doubled our security bug bounties in an effort to drive even more scrutiny to our platform and demonstrate our commitment to data protection to our customers.

Nextcloud is the only enterprise file sync & share / content collaboration platform in the on-premises market which has a well maintained security bug bounty program and up to USD 10K bounties. You should ask yourself – is it wise to trust your data to a vendor which doesn’t trust its own product to withstand the scrutiny that comes with such a program?

— Frank Karlitsche, CEO of Nextcloud GmbH

Security bug bounties?

Despite a great security track record and many innovative security hardenings added to Nextcloud over the years the reality is: security is hard, and mistakes are just unavoidable. The largest IT companies with big, well paid and experienced security teams still encounter regular, embarrassing breaches. For this and more reasons, Security Bug Bounties are a ‘security best practice’ followed by large organizations like Microsoft, Uber, Github, Twitter and Slack.

Shortly after we founded Nextcloud, we announced a security bug bounty program offering a significant monetary reward for reports of security vulnerabilities within Nextcloud.

Does a bounty program replace security work?

Running a security bug bounty program does not replace internal security expertise, rather it augments existing security work.

We can and do make breaching a Nextcloud server as hard as possible for an attacker. We do that first by having a strong process aimed at writing secure code, training our developers to take security in account and reviewing designs in advance and the code itself after it has been written. Second, we secure Nextcloud pro-actively by introducing security hardenings which decrease the likelihood of a successful exploitation. By performing internal testing, we get the confidence required for shipping. And last but not least external testing such as via our bug bounty program as well as regular security audits by various third parties (including customers) gives us another set of hundreds of eyes looking over our code and potentially discovering issues within our software.

And they have found things!

results

We counted our HackerOne activity since we launched the program. After removal of some invalid reports (sometimes things get reported on out-of scope things like our infrastructure), we have these statistics:

  • Total of 222 reports submitted
  • Paid $2750 in bounties
  • 23 reports received a bounty ($120 per report on average)
  • Average response time: 12 hours
  • Average triage time: 1 day
  • Average time to resolution: 1 month

Doubling up

Running a bug bounty program is something you should take seriously to get the most out of it. That means responding quickly – we’re proud of our leading response times and response quality on the HackerOne platform, showing our team takes the security issues very serious.

We’re also proud to offer some of the highest competitive bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities.

In our announcement today, we pledged to double the amount of $5,000 to up to $10,000, signaling we continue to put our money where our mouth is! There are two reasons why we increased the bounties today.

First, since we announced our program in 2016, the use of Nextcloud has grown explosively. Today, between 200.000 and 300.000 Nextcloud servers provide secure, privacy-respecting file exchange and collaboration services to a massive number of users.

The average size of Nextcloud servers certainly has also gone up. Today, dozens of our customers count their users in the tens or hundreds of thousands, back in 2016 of course this was not the case.

On top of that, these customers now include major governments like the German, French and Dutch, dozens of cities, large corporations like SIEMENS…

With more users comes more risk: a security exploit for Nextcloud has more value today than it did in 2016!

Second, after a few years, much of the lower-hanging fruit has been caught. While the program has been very successful, we’d like to keep it that way, accelerate it even! By increasing the rewards, we hope to attract even more expertise, efforts and thus scrutiny to our platform.

Go catch boogs!

We are grateful to the thousands of people who have scrutinized Nextcloud and the hundreds who’ve reported issues they found. We hope that, with a doubling of our security bug bounties, we continue to benefit from the massive expertise available on the HackerOne program and in the global white-hat hacker community!