Details

We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our dedicated security page.

Important notice ⚠️

Given the high number of generic AI security reports, we are emphasizing the following:

We accept only issues that you have reproduced yourself, proven by screenshots.
Do not submit a report before reproducing the issue.

Low-effort AI-generated reports will be ignored and closed as Spam (-20 reputation) and may lead to your suspension from this program.

Program policy

Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.
DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
Same rule apply to with secrets, keys and credentials.
If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.
Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.
All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.
If your report mostly contains "AI slop reports" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:
- 🔒 Closing your reports as Spam
- 💸 Reducing bounties
- ⛔ Block you from our program

Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:

Bugs within Nextcloud server and apps supported by Nextcloud GmbH (Note: see Scope list for all qualifying and packaged components. Third-party apps from the AppStore are not part of our bounty program.)
- Please check the top of our wiki for Current version to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule
- For Apps only the latest version compatible with those Nextcloud Server versions are eligible
- Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A"
Bugs within the mobile iOS and Android sync clients
- Only the latest version of each client available in the respective store is eligible
Bugs within the desktop clients for Mac, Windows, and Linux
- Only the latest version of each client is eligible

For us a bug is something that actively allows an attacker to escalate their privileges. Something like "Attacker can delete arbitrary files of other users" is fine to be reported, "Missing X-Frame-Options on the download servers" not so much. At the moment we are also considering "Denial of Service" not a reward worthy vulnerability, we will acknowledge you though!

Found a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. These scopes are also for what monetary rewards are awarded. Bonus points if you check back with our threat model before.

Found a bug in one of our websites or app that is not in scope? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well.

Please do not run any Denial of Service attacks against our infrastructure or extract user data.
Please do also refrain from using automated testing tools against our infrastructure.
Do not disclose bugs to other parties before we have published a patch.

We believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.

Rewards

Our rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:

Impact	Definition	Highest possible reward
Critical	Gaining remote code execution on the server as a non-admin user. (i.e. RCE)	$10,000
High	Gaining access to complete user data of any other user. (i.e. Auth Bypass)	$4,000
Medium	Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass)	$1,500
Low	Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.	$500

Important notice ⚠️

Given the high number of generic AI security reports, we are emphasizing the following:

We accept only issues that you have reproduced yourself, proven by screenshots.

Do not submit a report before reproducing the issue.

Low-effort AI-generated reports will be ignored and closed as Spam (-20 reputation) and may lead to your suspension from this program.

Program policy

Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.

DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.

Same rule apply to with secrets, keys and credentials.

If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.

Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.

All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.

If your report mostly contains "AI slop reports" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:

🔒 Closing your reports as Spam
💸 Reducing bounties
⛔ Block you from our program

Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:

Bugs within Nextcloud server and apps supported by Nextcloud GmbH (Note: see Scope list for all qualifying and packaged components. Third-party apps from the AppStore are not part of our bounty program.)

Please check the top of our wiki for Current version to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule
For Apps only the latest version compatible with those Nextcloud Server versions are eligible
Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A"

Bugs within the mobile iOS and Android sync clients

Only the latest version of each client available in the respective store is eligible

Bugs within the desktop clients for Mac, Windows, and Linux

Only the latest version of each client is eligible

Found a bug in one of our websites or app that is not in scope? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well.

Please do not run any Denial of Service attacks against our infrastructure or extract user data.

Please do also refrain from using automated testing tools against our infrastructure.

Do not disclose bugs to other parties before we have published a patch.

We believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.

Rewards

Our rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:

Impact	Definition	Highest possible reward
Critical	Gaining remote code execution on the server as a non-admin user. (i.e. RCE)	$10,000
High	Gaining access to complete user data of any other user. (i.e. Auth Bypass)	$4,000
Medium	Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass)	$1,500
Low	Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.	$500