Nearly one year ago we introduced the Nextcloud bug bounty program offering a significant monetary reward for reports of security vulnerabilities within Nextcloud. Security Bug Bounties are a ‘security best practice’ followed by large organizations like Microsoft, Uber, Github, Twitter and Slack which we’ve embraced. We’re proud to offer some of the highest bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities. We’re also proud of our 8 hour response time and quick bug fix turn-around! We thought that it is time to do a short recap on the progress of our program and invite more people to participate.
security is hard, and mistakes are just unavoidable
Reasons for the Nextcloud bug bounty program
Despite our good security track record and many innovative security hardenings added to Nextcloud over the years the reality is: security is hard, and mistakes are just unavoidable. The largest IT companies with big, well paid and experienced security teams run bug bounty programs for this very reason!
However, we can make it as hard as possible for an attacker. We do that first by having a strong process aimed at writing secure code, training our developers to take security in account and reviewing designs in advance and the code itself after it has been written. Second, we secure Nextcloud pro-actively by introducing security hardenings which decrease the likelihood of a successful exploitation. By performing internal testing, we get the confidence required for shipping. And last but not least external testing such as via our bug bounty program on HackerOne gives us another set of hundreds of eyes looking over our code and potentially discovering issues within our software.
Something that especially sparks our interests are reports involving a bypass of security hardenings. After a report of a security issue, we perform a root-cause analysis and try to aim to mitigate problems of this category completely in the future. A recent example was, for example, us hardening our shipped jQuery library in addition to fixing the reported vulnerability.
As you see, running a bug bounty program is something you should take seriously to get the most out of it. It does not replace internal security expertise but rather augments it, providing opportunities to fix whole classes of potential issues at once.
Reports in numbers
In the last year, we have had reports by 358 different white hat hackers reporting 676 issues to us, averaging around 1.8 reports per reporter. As you can see, most of these reports have been done right after we announced our bug bounty program which took some more internal coordination to handle. Nowadays, we get a steady stream of around 5-10 reports a week.
Of those 676 reports, we acted on 77 unique issues which have been reported by 83 different reporters. The other 599 issues were not considered a security risk or either duplicate of existing issues:
From these 77 reports, 18 qualified for monetary awards as they were within the Nextcloud software while the others targeted our infrastructure which we excluded from our bug bounty scope.
In total we spent $5,083 on bug bounties, resulting in an average bounty of $282.
Performance analysis
We are quite proud of our performance, our all time response time is eight hours and our all time resolution time is about one month.
Those numbers mean that after an issue got reported to us the reporter receives a feedback usually within 8 hours. In average the issue has also been fixed, reviewed, regression tested and finally shipped to Nextcloud users in about one month.
Success stories
The bug bounty program would not be so successful with the dozens of skillful hackers participating in it. We would like to give a special shout-out to those top 5 five reporters in our program:
@secator – $1,000
secator reported two security issues (NC-SA-2017-001 and NC-SA-2017-002) to us which may have allowed an attacker to bypass permission on shares such as writing to read-only shares.
Kumar reported a permission related issue to us which allowed writing to a read-only share (NC-SA-2016-004) as well as the fact that a share owner has no possibility to list all existing shares which we added as a new feature in Nextcloud 11.
Aliaksei Panamarenka – $500
Aliaksei reported a reflected XSS in the Nextcloud Gallery application including a bypass for our Content-Security-Policy. (NC-SA-2016-009)
Manuel reported a reflected XSS in the error pages caused by inadequate escaping of error messages. This vulnerability was mitigated by our Content-Security-Policy. (NC-SA-2017-008 and fully disclosed hackerone report)
Those five people are just a small sample of all the hackers that helped us until now. We would like to extend our sincere thanks to every single one! Thanks to all of you for making the internet a more secure place.
If you want to be featured in our next bug bounty program update head over to our bug bounty program on HackerOne and start submitting vulnerabilities. We look forward to your reports!
Nextcloud Hub 9 vous permet de rester connecté. Découvrez de nouvelles fonctionnalités de fédération, l'automatisation des flux de travail, une refonte du design et bien plus encore dans votre plateforme de collaboration open-source préférée !
Nous vous présentons une mise à jour majeure de l'assistant Nextcloud IA, ainsi que de nouvelles informations sur notre collaboration avec plusieurs grands fournisseurs d'hébergement tels que IONOS et OVHcloud pour vous proposer des options d'IA en tant que service !
Bechtle et Nextcloud ont annoncé aujourd'hui une plateforme de collaboration entièrement administrée pour le secteur public, qui ne nécessite pas d'appel d'offres et peut être déployée immédiatement.
Découvrez comment passer de ownCloud à Nextcloud. Notre outil d'aide à la migration fournit des informations sur le processus de migration et vous aide à effectuer la transition en douceur.
Au cours de la dernière année, l'IA est devenue un sujet à la mode. Il y a de l'engouement, mais aussi du fondement. Il y a du positif et du négatif. Nous voulons vous offrir le positif, pas le négatif, et ignorer le battage médiatique ! […]
Le 3 décembre prochain, nous vous invitons au Nextcloud Enterprise Day Paris, l’événement phare de Nextcloud dédié aux professionnels. La journée commencera avec une keynote de notre PDG et fondateur Frank Karlitschek, un moment fort où il partagera notre vision de l’avenir de la collaboration en ligne, suivie d'une annonce majeure concernant Nextcloud Talk !
Nextcloud has been recognized with the World Summit Award Germany that selects and promotes local digital innovation improving society, aiming to contribute to the United Nations' agenda of sustainable development goals.
Maintenance updates 28.0.12, 29.0.9 and 30.0.2 for Nextcloud Hub 7, 8 and 9 respectively are here! Read an update summary and access full changelog on the website.
Nous enregistrons certains cookies pour compter les visiteurs et faciliter l'utilisation du site. Ces données ne quittent pas notre serveur et ne sont pas destinées à vous suivre personnellement ! Consultez notre politique de confidentialité pour plus d'informations Personnaliser
Les cookies utilisés pour enregistrer les données saisies dans les formulaires, telles que le nom, l'adresse électronique, le numéro de téléphone et la langue préférée.
nc_form_fields
Mémorise les données saisies dans les formulaires pour une prochaine visite (nom, adresse électronique, numéro de téléphone et langue préférée).
Les cookies statistiques collectent des informations de manière anonyme et nous aident à comprendre comment nos visiteurs utilisent notre site web. Nous utilisons la solution open source de mesure de statistiques web Matomo
Matomo
_pk_ses*: Compte la première visite de l'utilisateur
_pk_id*: Aide à ne pas compter deux fois les visites.
mtm_cookie_consent: Se souvient que l'utilisateur a donné son accord pour le stockage et l'utilisation de cookies.
_pk_ses*: 30 minutes
_pk_id*: 28 jours
mtm_cookie_consent: 30 jours