Nextcloud Talk in Hub 4 - next level video chat
Over the last years Nextcloud Talk has developed in a fantastic productivity tool, enabling teams across the globe to communicate and collaborate in chat rooms, video meetings and webinars.
Read More
Today we are happy to announce the Nextcloud bug bounty program. We offer some of the highest bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities!
We have partnered with the HackerOne platform because of its extraordinary popularity among IT security professionals. More than 3,000 hackers have reported over 24,000 bugs via the platform. Running a program on HackerOne allows us to quickly leverage the collective knowledge of a huge amount of these security experts.
“We are thrilled to welcome Nextcloud to the HackerOne community and have the opportunity to again work with Lukas Reschke”, said Marten Mickos, CEO of HackerOne. “Reschke’s experience with open source and running competitive bug bounty programs at scale is sure to benefit Nextcloud security and its customers.”
While we do perform internal research and add pro-active security hardenings all the time (a prominent example being the introduction of same-site cookies) we are always looking for external input as well. Few limitations and exclusions as well as some of the highest rewards in the open source world for responsible disclosure will serve to attract the kind of professional expertise needed to turn this into a success.
We’re confident in our code base and our work and with this project we will bring the Nextcloud security to an even higher level.
| Impact | Definition | Maximum possible reward |
| Critical | Gaining remote code execution on the server as unauthenticated user. (i.e. RCE) | $5,000 |
| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |
| Medium | Limited disclosure of user data or attacks granting access to a single users’ user session. (i.e. XSS) | $750 |
| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |
Note that our websites (nextcloud.com and nextcloud.org) are NOT part of the program, only the software you can find on our install page.
Get started now at hackerone.com/nextcloud and help make Nextcloud even more awesome!
Over the last years Nextcloud Talk has developed in a fantastic productivity tool, enabling teams across the globe to communicate and collaborate in chat rooms, video meetings and webinars.
Read More
Hot on the heels of Nextcloud Hub 4, our desktop client now enables users who are running the latest Nextcloud to take advantage of its improved End-to-end encryption features!
Read More
“Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat […]
Read More
“When we have welcoming communities of contributors, open source software gets better and more useful to everyone.” Limor Fried, Electrical Engineer, Inventor and Founder of open-source hardware company Adafruit We believe in this ideal and love to work with our community. We are always looking to involve more people in Nextcloud, bringing in their ideas, […]
Read More
Do you want to learn more about the leading Content Collaboration Platform? Nextcloud is an on-premises, integrated collaboration platform that can work for your organization or business in all sectors from Government, education, healthcare, and many other. Meet Nextcloud at exciting upcoming trade shows from Zukunftskongress and DMEA in Berlin to EdTech Congress Barcelona in […]
Read More
After a complaint filed by Nextcloud on behalf of a coalition of dozens of European cloud tech providers in November 2021, the German Bundeskartellamt (federal antitrust authorities) has now begun an official investigation into Microsoft to assess if the company has a dominant position in the market.
Read More
Nextcloud users know the importance of integrating different systems and tools to create a seamless workflow. Nextcloud Enterprise allows you to integrate with Microsoft environments for file storage, user directory, Outlook, Sharepoint, Windows Desktop, MS Office online server, and Teams. And now, we are excited to announce a new addition to our lineup: the Nextcloud […]
Read More
To aid government and business organizations migrating away from Microsoft 365, the Nextcloud Office team is looking for participants for UX studies. In particular, heavy users of Microsoft Office are encouraged to participate and provide their input so the team can identify and address the key blockers for migration. Aim of the study Nextcloud is […]
Read More
[…] Gründe sind das für mich noch nicht. Umso schöner zu lesen, dass NextCloud ein großzügiges Bug Bounty -Programm ins Leben gerufen hat. Im Vergleich zum Programm von OwnCloud zahlt NextCloud eine ganze Menge mehr […]
Hi…
I just wanted to see if I could get an xss runnign on the system… Please do let me know if it works out, as you have a vulnerable akismet version 🙂
I’m sure you can find issues with our website, but as the article notes clearly, it isn’t part of the bug bounty program. If you want to participate in the bounty program, please grab the Nextcloud source code from our installation page
If download binaries and signatures/keys can be substituted, that’s a huge vulnerability for users. Maybe the website should be included?
The download binaries and keys are on a different server – and well protected… I don’t think this is a big issue and besides we’d be giving bounties for WordPress issues (that’s what we built our website with). I’d rather not go there…