Just before the Nextcloud Conference in Berlin, Nextcloud GmbH has decided to double the security bug bounty, going up to USD 10.000 for a remote execution vulnerability! We will talk more about this tomorrow during the conference, but for now read on for details.
Nextcloud lets users access and collaborate on documents, calendars and in video chats in the browser or through mobile apps. Over 200 apps extend Nextcloud functionality with features like playing music and movies, tracking your phone, reading news, mind mapping and more. It is by far the most popular private cloud software, 100% open source, developed by a community and used by millions of home users as well as organizations like Siemens, the German Federal Government and many more. For Nextcloud, security is key: the need for data protection and privacy that drives most of its users to the platform relies on being able to trust the project’s effort in keeping data safe. For this reason, Nextcloud runs a security bug bounty program since its inception in 2016 and with great success.
In this blog, Nextcloud GmbH announces we’ve doubled our security bug bounties in an effort to drive even more scrutiny to our platform and demonstrate our commitment to data protection to our customers.
Nextcloud is the only enterprise file sync & share / content collaboration platform in the on-premises market which has a well maintained security bug bounty program and up to USD 10K bounties. You should ask yourself – is it wise to trust your data to a vendor which doesn’t trust its own product to withstand the scrutiny that comes with such a program?
— Frank Karlitsche, CEO of Nextcloud GmbH
Despite a great security track record and many innovative security hardenings added to Nextcloud over the years the reality is: security is hard, and mistakes are just unavoidable. The largest IT companies with big, well paid and experienced security teams still encounter regular, embarrassing breaches. For this and more reasons, Security Bug Bounties are a ‘security best practice’ followed by large organizations like Microsoft, Uber, Github, Twitter and Slack.
Shortly after we founded Nextcloud, we announced a security bug bounty program offering a significant monetary reward for reports of security vulnerabilities within Nextcloud.
Running a security bug bounty program does not replace internal security expertise, rather it augments existing security work.
We can and do make breaching a Nextcloud server as hard as possible for an attacker. We do that first by having a strong process aimed at writing secure code, training our developers to take security in account and reviewing designs in advance and the code itself after it has been written. Second, we secure Nextcloud pro-actively by introducing security hardenings which decrease the likelihood of a successful exploitation. By performing internal testing, we get the confidence required for shipping. And last but not least external testing such as via our bug bounty program as well as regular security audits by various third parties (including customers) gives us another set of hundreds of eyes looking over our code and potentially discovering issues within our software.
And they have found things!
We counted our HackerOne activity since we launched the program. After removal of some invalid reports (sometimes things get reported on out-of scope things like our infrastructure), we have these statistics:
Running a bug bounty program is something you should take seriously to get the most out of it. That means responding quickly – we’re proud of our leading response times and response quality on the HackerOne platform, showing our team takes the security issues very serious.
We’re also proud to offer some of the highest competitive bounties in the open source software industry, rewarding responsible disclosure with up to $5,000 for qualifying vulnerabilities.
In our announcement today, we pledged to double the amount of $5,000 to up to $10,000, signaling we continue to put our money where our mouth is! There are two reasons why we increased the bounties today.
First, since we announced our program in 2016, the use of Nextcloud has grown explosively. Today, between 200.000 and 300.000 Nextcloud servers provide secure, privacy-respecting file exchange and collaboration services to a massive number of users.
The average size of Nextcloud servers certainly has also gone up. Today, dozens of our customers count their users in the tens or hundreds of thousands, back in 2016 of course this was not the case.
On top of that, these customers now include major governments like the German, French and Dutch, dozens of cities, large corporations like SIEMENS…
With more users comes more risk: a security exploit for Nextcloud has more value today than it did in 2016!
Second, after a few years, much of the lower-hanging fruit has been caught. While the program has been very successful, we’d like to keep it that way, accelerate it even! By increasing the rewards, we hope to attract even more expertise, efforts and thus scrutiny to our platform.
We are grateful to the thousands of people who have scrutinized Nextcloud and the hundreds who’ve reported issues they found. We hope that, with a doubling of our security bug bounties, we continue to benefit from the massive expertise available on the HackerOne program and in the global white-hat hacker community!
Do you want to learn more about the leading Content Collaboration Platform? Nextcloud is an on-premises, integrated collaboration platform that can work for your organization or business in all sectors from Government, education, healthcare, and many other. Meet Nextcloud at exciting upcoming trade shows from Zukunftskongress and DMEA in Berlin to EdTech Congress Barcelona in […]
Read More
Over the last years Nextcloud Talk has developed in a fantastic productivity tool, enabling teams across the globe to communicate and collaborate in chat rooms, video meetings and webinars.
Read More
“Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat […]
Read More
“When we have welcoming communities of contributors, open source software gets better and more useful to everyone.” Limor Fried, Electrical Engineer, Inventor and Founder of open-source hardware company Adafruit We believe in this ideal and love to work with our community. We are always looking to involve more people in Nextcloud, bringing in their ideas, […]
Read More
Hot on the heels of Nextcloud Hub 4, our desktop client now enables users who are running the latest Nextcloud to take advantage of its improved End-to-end encryption features!
Read More
After a complaint filed by Nextcloud on behalf of a coalition of dozens of European cloud tech providers in November 2021, the German Bundeskartellamt (federal antitrust authorities) has now begun an official investigation into Microsoft to assess if the company has a dominant position in the market.
Read More
Nextcloud users know the importance of integrating different systems and tools to create a seamless workflow. Nextcloud Enterprise allows you to integrate with Microsoft environments for file storage, user directory, Outlook, Sharepoint, Windows Desktop, MS Office online server, and Teams. And now, we are excited to announce a new addition to our lineup: the Nextcloud […]
Read More
To aid government and business organizations migrating away from Microsoft 365, the Nextcloud Office team is looking for participants for UX studies. In particular, heavy users of Microsoft Office are encouraged to participate and provide their input so the team can identify and address the key blockers for migration. Aim of the study Nextcloud is […]
Read More
