Introducing the Nextcloud bug bounty program

Post date

June 17, 2016


Jos Poortvliet

Today we are happy to announce the Nextcloud bug bounty program. We offer some of the highest bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities!

We have partnered with the HackerOne platform because of its extraordinary popularity among IT security professionals. More than 3,000 hackers have reported over 24,000 bugs via the platform. Running a program on HackerOne allows us to quickly leverage the collective knowledge of a huge amount of these security experts.

“We are thrilled to welcome Nextcloud to the HackerOne community and have the opportunity to again work with Lukas Reschke”, said Marten Mickos, CEO of HackerOne. “Reschke’s experience with open source and running competitive bug bounty programs at scale is sure to benefit Nextcloud security and its customers.”

While we do perform internal research and add pro-active security hardenings all the time (a prominent example being the introduction of same-site cookies) we are always looking for external input as well. Few limitations and exclusions as well as some of the highest rewards in the open source world for responsible disclosure will serve to attract the kind of professional expertise needed to turn this into a success.

We’re confident in our code base and our work and with this project we will bring the Nextcloud security to an even higher level.

Impact Definition Maximum possible reward
Critical Gaining remote code execution on the server as unauthenticated user. (i.e. RCE) $5,000
High Gaining access to complete user data of any other user. (i.e. Auth Bypass) $2,000
Medium Limited disclosure of user data or attacks granting access to a single users’ user session. (i.e. XSS) $750
Low Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. $250

Note that our websites ( and are NOT part of the program, only the software you can find on our install page.

Get started now at and help make Nextcloud even more awesome!


  • Bug Bounty -Programm June 17, 2016 at 11:28

    […] Gründe sind das für mich noch nicht. Umso schöner zu lesen, dass NextCloud ein großzügiges Bug Bounty -Programm ins Leben gerufen hat. Im Vergleich zum Programm von OwnCloud zahlt NextCloud eine ganze Menge mehr […]

  • hackerone_sml555 June 18, 2016 at 04:38

    I just wanted to see if I could get an xss runnign on the system… Please do let me know if it works out, as you have a vulnerable akismet version 🙂

    • Jos Poortvliet June 18, 2016 at 12:14

      I’m sure you can find issues with our website, but as the article notes clearly, it isn’t part of the bug bounty program. If you want to participate in the bounty program, please grab the Nextcloud source code from our installation page

      • dlm June 25, 2016 at 07:16

        If download binaries and signatures/keys can be substituted, that’s a huge vulnerability for users. Maybe the website should be included?

        • Jos Poortvliet June 28, 2016 at 09:19

          The download binaries and keys are on a different server – and well protected… I don’t think this is a big issue and besides we’d be giving bounties for WordPress issues (that’s what we built our website with). I’d rather not go there…

Start the discussion at the
Nextcloud forums

Go to Forums
This site is registered on as a development site. Switch to a production site key to remove this banner.