Just before the Nextcloud Conference in Berlin, Nextcloud GmbH has decided to double the security bug bounty, going up to USD 10.000 for a remote execution vulnerability! We will talk more about this tomorrow during the conference, but for now read on for details.
Nextcloud: a secure collaboration platform
Nextcloud lets users access and collaborate on documents, calendars and in video chats in the browser or through mobile apps. Over 200 apps extend Nextcloud functionality with features like playing music and movies, tracking your phone, reading news, mind mapping and more. It is by far the most popular private cloud software, 100% open source, developed by a community and used by millions of home users as well as organizations like Siemens, the German Federal Government and many more. For Nextcloud, security is key: the need for data protection and privacy that drives most of its users to the platform relies on being able to trust the project’s effort in keeping data safe. For this reason, Nextcloud runs a security bug bounty program since its inception in 2016 and with great success.
In this blog, Nextcloud GmbH announces we’ve doubled our security bug bounties in an effort to drive even more scrutiny to our platform and demonstrate our commitment to data protection to our customers.
Nextcloud is the only enterprise file sync & share / content collaboration platform in the on-premises market which has a well maintained security bug bounty program and up to USD 10K bounties. You should ask yourself – is it wise to trust your data to a vendor which doesn’t trust its own product to withstand the scrutiny that comes with such a program?
— Frank Karlitsche, CEO of Nextcloud GmbH
Security bug bounties?
Despite a great security track record and many innovative security hardenings added to Nextcloud over the years the reality is: security is hard, and mistakes are just unavoidable. The largest IT companies with big, well paid and experienced security teams still encounter regular, embarrassing breaches. For this and more reasons, Security Bug Bounties are a ‘security best practice’ followed by large organizations like Microsoft, Uber, Github, Twitter and Slack.
Shortly after we founded Nextcloud, we announced a security bug bounty program offering a significant monetary reward for reports of security vulnerabilities within Nextcloud.
Does a bounty program replace security work?
Running a security bug bounty program does not replace internal security expertise, rather it augments existing security work.
We can and do make breaching a Nextcloud server as hard as possible for an attacker. We do that first by having a strong process aimed at writing secure code, training our developers to take security in account and reviewing designs in advance and the code itself after it has been written. Second, we secure Nextcloud pro-actively by introducing security hardenings which decrease the likelihood of a successful exploitation. By performing internal testing, we get the confidence required for shipping. And last but not least external testing such as via our bug bounty program as well as regular security audits by various third parties (including customers) gives us another set of hundreds of eyes looking over our code and potentially discovering issues within our software.
And they have found things!
results
We counted our HackerOne activity since we launched the program. After removal of some invalid reports (sometimes things get reported on out-of scope things like our infrastructure), we have these statistics:
Total of 222 reports submitted
Paid $2750 in bounties
23 reports received a bounty ($120 per report on average)
Average response time: 12 hours
Average triage time: 1 day
Average time to resolution: 1 month
Doubling up
Running a bug bounty program is something you should take seriously to get the most out of it. That means responding quickly – we’re proud of our leading response times and response quality on the HackerOne platform, showing our team takes the security issues very serious.
We’re also proud to offer some of the highest competitive bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities.
In our announcement today, we pledged to double the amount of $5,000 to up to $10,000, signaling we continue to put our money where our mouth is! There are two reasons why we increased the bounties today.
First, since we announced our program in 2016, the use of Nextcloud has grown explosively. Today, between 200.000 and 300.000 Nextcloud servers provide secure, privacy-respecting file exchange and collaboration services to a massive number of users.
The average size of Nextcloud servers certainly has also gone up. Today, dozens of our customers count their users in the tens or hundreds of thousands, back in 2016 of course this was not the case.
On top of that, these customers now include major governments like the German, French and Dutch, dozens of cities, large corporations like SIEMENS…
With more users comes more risk: a security exploit for Nextcloud has more value today than it did in 2016!
Second, after a few years, much of the lower-hanging fruit has been caught. While the program has been very successful, we’d like to keep it that way, accelerate it even! By increasing the rewards, we hope to attract even more expertise, efforts and thus scrutiny to our platform.
Go catch boogs!
We are grateful to the thousands of people who have scrutinized Nextcloud and the hundreds who’ve reported issues they found. We hope that, with a doubling of our security bug bounties, we continue to benefit from the massive expertise available on the HackerOne program and in the global white-hat hacker community!
Le organizzazioni, grandi e piccole, necessitano di una soluzione che garantisca la resilienza e la sovranità digitale delle loro operazioni: un'alternativa open source e rispettosa della privacy a Teams. E oggi presentiamo questa soluzione: Nextcloud Talk.
On December 3rd, we invite you to the Nextcloud Enterprise Day Paris, Nextcloud's flagship event for professionals. The day will kick off with a keynote by our CEO and founder, Frank Karlitschek—a highlight where he will share our vision for the future of online collaboration, followed by a major announcement about Nextcloud Talk!
Maintenance updates 28.0.12 and 30.0.2 for Nextcloud Hub 7 and 9 respectively are here! Read an update summary and access full changelog on the website.
HKN GmbH has joined the Nextcloud Enterprise Day 2024 sponsor lineup, and we couldn't be more excited! Read this blog to learn more about this partnership.
Salviamo alcuni cookie per contare i visitatori e rendere il sito più facile da usare. Questi dati non lasciano il nostro server e non servono a tracciare il tuo profilo personale! Per maggiori informazioni, consulta la nostra Informativa sulla privacy. Personalizza
I cookie statistici raccolgono informazioni in forma anonima e ci aiutano a capire come i visitatori utilizzano il nostro sito web. Utilizziamo Matomo in cloud.
Matomo
_pk_ses*: Conta la prima visita dell'utente
_pk_id*: Aiuta a non contare due volte le visite.
mtm_cookie_consent: Ricorda il consenso alla memorizzazione e all'utilizzo dei cookie dato dall'utente.
_pk_ses*: 30 minuti
_pk_id*: 28 giorni
mtm_cookie_consent: 30 giorni