Security Advisories | Threat Model
This page hosts our security policies and information with regards to reporting security flaws. Learn more about how Nextcloud aims to offer the best security in the open source file sync and share industry here.
See a full list of historic advisories in the CVE database.
For server owners, our documentation has a section with best practices and tips on securing a Nextcloud server.
If you have discovered a security issue with Nextcloud, please read our responsible disclosure guidelines and contact us at hackerone.com/nextcloud. Your report should include:
A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. The fix will be applied to the master branch, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added to the hall of fame as a thank you from the entire Nextcloud community. Read our threat model to know what is expected behavior.
In order to facilitate secure submission of security issues, we provide the following PGP key for confidential submission:
A724937A
2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A
We do however recommend to not encrypt the information submitted via HackerOne as only a small subset of the team has access to this key.
The Nextcloud community kindly requests that you comply with the following guidelines when researching and reporting security vulnerabilities:
Nextcloud Server:
You will find our Maintenance and Release Schedule on GitHub. Please have a close look into the End of Life-section.
If you want to continue to use versions, which reached their End of Life, please contact Nextcloud sales to get access to our Long Term Support offering.
Nextcloud Desktop Clients:
Nextcloud Android Clients:
Nextcloud iOS Clients: