Updates about the Nextcloud Bug Bounty Program

Nearly one year ago we introduced the Nextcloud bug bounty program offering a significant monetary reward for reports of security vulnerabilities within Nextcloud. Security Bug Bounties are a ‘security best practice’ followed by large organizations like Microsoft, Uber, Github, Twitter and Slack which we’ve embraced. We’re proud to offer some of the highest bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities. We’re also proud of our 8 hour response time and quick bug fix turn-around! We thought that it is time to do a short recap on the progress of our program and invite more people to participate.

security is hard, and mistakes are just unavoidable

Reasons for the Nextcloud bug bounty program

Despite our good security track record and many innovative security hardenings added to Nextcloud over the years the reality is: security is hard, and mistakes are just unavoidable. The largest IT companies with big, well paid and experienced security teams run bug bounty programs for this very reason!

However, we can make it as hard as possible for an attacker. We do that first by having a strong process aimed at writing secure code, training our developers to take security in account and reviewing designs in advance and the code itself after it has been written. Second, we secure Nextcloud pro-actively by introducing security hardenings which decrease the likelihood of a successful exploitation. By performing internal testing, we get the confidence required for shipping. And last but not least external testing such as via our bug bounty program on HackerOne gives us another set of hundreds of eyes looking over our code and potentially discovering issues within our software.

Something that especially sparks our interests are reports involving a bypass of security hardenings. After a report of a security issue, we perform a root-cause analysis and try to aim to mitigate problems of this category completely in the future. A recent example was, for example, us hardening our shipped jQuery library in addition to fixing the reported vulnerability.

As you see, running a bug bounty program is something you should take seriously to get the most out of it. It does not replace internal security expertise but rather augments it, providing opportunities to fix whole classes of potential issues at once.

Reports in numbers

In the last year, we have had reports by 358 different white hat hackers reporting 676 issues to us, averaging around 1.8 reports per reporter. As you can see, most of these reports have been done right after we announced our bug bounty program which took some more internal coordination to handle. Nowadays, we get a steady stream of around 5-10 reports a week.

Of those 676 reports, we acted on 77 unique issues which have been reported by 83 different reporters. The other 599 issues were not considered a security risk or either duplicate of existing issues:

From these 77 reports, 18 qualified for monetary awards as they were within the Nextcloud software while the others targeted our infrastructure which we excluded from our bug bounty scope.

In total we spent $5,083 on bug bounties, resulting in an average bounty of $282.

Performance analysis

We are quite proud of our performance, our all time response time is eight hours and our all time resolution time is about one month.

Those numbers mean that after an issue got reported to us the reporter receives a feedback usually within 8 hours. In average the issue has also been fixed, reviewed, regression tested and finally shipped to Nextcloud users in about one month.

Success stories

The bug bounty program would not be so successful with the dozens of skillful hackers participating in it. We would like to give a special shout-out to those top 5 five reporters in our program:

• @secator – $1,000
  • secator reported two security issues (NC-SA-2017-001 and NC-SA-2017-002) to us which may have allowed an attacker to bypass permission on shares such as writing to read-only shares.
• Frans Rosen – $750
  • Frans reported a stored XSS vulnerability in the Nextcloud Gallery application caused by a regression. (NC-SA-2016-001)
• Kumar Saurabh – $600
  • Kumar reported a permission related issue to us which allowed writing to a read-only share (NC-SA-2016-004) as well as the fact that a share owner has no possibility to list all existing shares which we added as a new feature in Nextcloud 11.
• Aliaksei Panamarenka – $500
  • Aliaksei reported a reflected XSS in the Nextcloud Gallery application including a bypass for our Content-Security-Policy. (NC-SA-2016-009)
• Manuel Mancera – $450
  • Manuel reported a reflected XSS in the error pages caused by inadequate escaping of error messages. This vulnerability was mitigated by our Content-Security-Policy. (NC-SA-2017-008 and fully disclosed hackerone report)

Those five people are just a small sample of all the hackers that helped us until now. We would like to extend our sincere thanks to every single one! Thanks to all of you for making the internet a more secure place.

If you want to be featured in our next bug bounty program update head over to our bug bounty program on HackerOne and start submitting vulnerabilities. We look forward to your reports!