Threat model & accepted risks
This page is constantly evolving. So check back over time to see new additions.
This page is constantly evolving. So check back over time to see new additions.
We consider Nextcloud administrators ultimately trusted. It is for example expected behavior that a Nextcloud administrator can execute arbitrary code.
Due to the usage of the PHP scripting language we do consider Denial of Service not something that can at the moment be completely prevented. See also the article “PHP Denial of Service Attack Revisited“.
We do consider local mounted storage systems as trusted, so if a symlink or something else is configured on the external storage the Nextcloud server will follow it with the web server privileges.
For this reason we do recommend administrators to only use the external storage mount for ultimately trusted content.
Nextcloud can be configured to encrypt data at rest. This has two options: server-wide key (default since Nextcloud 13) or per-user key. With the former, the keys are on the server and thus the only protection offered is against external storage. With per-user keys, the keys are encrypted by the user password and handled as securely as possible, thus securing data when the user is not logged in. We are aware that a Nextcloud administrator could still intercept the user password to manually decrypt the encryption key. We do thus only consider attack scenarios bounty-worthy if they include an external storage vector or, with per-user-keys, data-at-rest.
Nextcloud client-side (or end-to-end) encryption is designed to protect user data from the server in nearly all scenario’s, as described in the RFC. Any way to circumvent the protection as covered by the security properties would be treated by us as a security issue. Note that, as of May 2018, the client-side or end-to-end encryption feature is not considered ‘finished’ and no bug bounties are paid out until it is released as a final, stable version, expected in 2020.
Some features in Nextcloud are intentionally marked as insecure and disabled by default (plus have a big warning above them). One example includes the preview providers such as the LibreOffice preview provider. At the moment we consider vulnerabilities in those disabled features as not bounty-worthy.
The audit logging feature in Nextcloud is at the moment missing some logs for things like “Accessing previews of files”, these will be added in a future release and known issues are tracked in our issue tracker.
At the moment we consider version disclosure an accepted risk as an attacker can enumerate service versions using other means as well. (e.g. comparing behaviour)
We do consider attacks involving other Android apps on the device as low or medium risk. Stored files can be hidden from other apps if appropriate storage option is selected inside the app. This should be secure, however, if the phone is compromised we don’t guarantee data safety.
Generally speaking we consider content spoofing not a bounty-worthy vulnerability.
We do not consider user enumeration a security risk as for convenience and for features such as Server-to-Server sharing this is an expected behaviour.
Nextcloud 12 introduced brute force protection. If you find a way in which it is broken, it could qualify as a security issue. Of course we’re aware that using TOR or similar solutions can be used to circumvent IP address based brute force protection. It is also not implemented in all endpoints, but should not allow guessing passwords at great speed from a single IP address.
Nextcloud ships with multiple features that perform sending requests to other hosts, we do consider this accepted behaviour and advocate people to deploy Nextcloud into its own seggregated network segment.