Reward

BountyHall of fame

$50 Low $500 Medium $1,000 High $3,000 Critical $5,000

Program

Avg reward -

Max reward -

Scopes22

Supported languagesEnglish

Hacktivity

Reports447

1st response < 1 day

Reports last 24h4

Reports last week37

Reports this month114

Program description

Program activity

Updates

December 2025

Enabled Leaks and exposed credentials
Enabled Systemic Issues grid

August 2025

Added clarification on the relation between our open source repositories on Github.com and vulnerability reports on YesWeHack.com.
Streamlined some of the program rules and descriptions related to the reward grid without changing the grid itself or the bounty value.

June 2025

Added clarification to the bug bounty brief requiring demonstrable impact for XSS reports beyond simple alert pop-ups.

April 2025

Added a section to clarify that we usually do not consider vulnerabilities that require admin privileges (CVSS PR:H) as critical.

About

ownCloud

We created the ownCloud Security Bug Bounty Program to reward security researchers for finding issues in the ownCloud Server, and in so doing help strengthen ownCloud Server for customers, users and the community.

Program Rules

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

Denial of service (DoS) attacks on ownCloud applications, servers, networks or infrastructure are strictly forbidden.
Avoid tests that could cause degradation or interruption of our services.
Do not use automated scanners or tools that generate large amount of network traffic.
Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
Do not copy any files from our applications/servers and disclose them.
No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security of ownCloud, however only those that meet the following eligibility requirements may receive a monetary reward:

You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below).
The report must contain the following elements:
Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and ownCloud, and remediation advice on fixing the vulnerability
Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
You must not break any of the testing policy rules listed above
You must not be a former or current employee of ownCloud or one of its contractors.

Reward amounts are based on:

Reward grid of the report's scope
CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

⚠️ XSS Reporting Requirements

Please note that for any reports involving Cross-Site Scripting (XSS), a basic proof-of-concept such as a JavaScript alert box (e.g., alert(1)) will not be considered sufficient for triage or reward. To qualify for a valid report, you must demonstrate a clear and actionable impact resulting from the XSS vulnerability. This includes, but is not limited to:

Performing actions on behalf of another user (e.g., creating a new user account or modifying user settings)
Exfiltrating sensitive data (e.g., sending authentication cookies or session tokens to an external server)
Bypassing security controls or escalating privileges

The goal is to understand the real-world risk and exploitability of the issue, so please ensure your report includes a well-documented and impactful demonstration.

⚠️ Rules for this program in relation to our open source repositories on Github.com

As you are aware, our software is open source on Github.com. While we absolutely appreciate your contribution to these repositories, we need to clarify the relation to bug bounty reward eligibility.

If you report a vulnerability on YesWeHack.com and also want to suggest a fix in the Github repository, please make sure that you submit the vulnerability report in this program first. As all commits on Github.com are public, we cannot accept a report and pay bounty if the fix was publicly submitted first as it is very hard for us to confirm that you are actually the author of the commit/pull request. If the bug bounty report was submitted after the commit/pull request, we will close it as Duplicate with a reference to the Github issue/fix/commit/PR.
If the team decides to accept a pull request and merges a code change, this does not imply that we acknowledge any vulnerability that is closed with the code change. We accept code improvements for various reasons that are much broader than the reward eligibility in this program. That means that only the rules of this program and the discussion in the report's comment section on YesWeHack.com can root a decision for a bug bounty.

Reward Grid

If the bug is identified as meaningful and qualifies for the program, and the reporter has followed the Disclosure Policy, the bug bounty is paid out strictly based on the CVSS score and the documented reward grid. Please note that we linearly interpolate the payout based on the upper and lower borders' values.

The severity of the bug is determined at the discretion of ownCloud and the ownCloud security team. All bounties will be paid using YesWeHack platform.

⚠️ Important information about vulnerabilities that require admin privileges

In ownCloud we consider a vulnerability to be critical only if it poses an immediate threat to a significantly large percentage of our customer base. In that light, vulnerabilities that require administrator privileges (CVSS PR:H) are, by definition, considered a localized threat, and would not be classified as critical. Please note that we would down-rate such vulnerabilities to a maximum of CVSS 8.9, unless provided with compelling arguments, or if chained with another vulnerability that allows privileges escalation.

Complements about our scopes

Desktop Client

Issues affecting the Desktop Client available from https://owncloud.org/install/#install-clients
Source: https://github.com/owncloud/client

Note that the ownCloud server itself is considered a trusted endpoint in our threat model and an eligible vulnerability must not rely on a malicious ownCloud instance.

com.owncloud.android

Our official Android client from https://play.google.com/store/apps/details?id=com.owncloud.android..
Source: https://github.com/owncloud/android

Note that the ownCloud server itself is considered a trusted endpoint in our threat model and an eligible vulnerability must not rely on a malicious ownCloud instance.

owncloud.iosapp

Our official iOS client from https://apps.apple.com/app/id1359583808
Source: https://github.com/owncloud/ios-app

Note that the ownCloud server itself is considered a trusted endpoint in our threat model and an eligible vulnerability must not rely on a malicious ownCloud instance.

owncloud/customgroups

Code from: https://github.com/owncloud/customgroups

This apps makes it possible for users to create their own custom groups and manage members. It is then possible to share files or folders with these groups.

owncloud/guests

Code from: https://github.com/owncloud/guests

Create a guest user by typing his name in to the sharing dialog. The guest will receive an email invite with a link to create an account. He only has access to files which are shared with him.

owncloud/richdocuments

Code from: https://github.com/owncloud/richdocuments

Collabora Online for ownCloud provides collaborating editing functions for text documents, spreadsheets and presentations inside ownCloud for improved productivity.

owncloud/notifications

Code from: https://github.com/owncloud/notifications

Notification backend and UI for the notification panel/icon. Used for notifications of other apps (announcementcenter, federatedfilesharing etc.)

owncloud/core

Code from: https://github.com/owncloud/core

This is our core server software, which is "the heart" of owncloud.

Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.

owncloud/gallery

Code from: https://github.com/owncloud/gallery

Media gallery for ownCloud which includes previews for all media types supported by your installation.

Provides a dedicated view of all images in a grid, adds image viewing capabilities to the files app and adds a gallery view to public links.

owncloud/ocis

Code from: https://github.com/owncloud/ocis

This is next generation server software, which is "the new heart" of owncloud.

Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.

owncloud/web

Code from: https://github.com/owncloud/web

This is the web application for the next generation server software, ownCloud Infinite Scale.

owncloud/web-extensions

Code from: https://github.com/owncloud/web-extensions

Additional web apps for ownCloud Infinite Scale

owncloud/user_ldap

Code from: https://github.com/owncloud/user_ldap

This application enables administrators to connect ownCloud to an LDAP-based user directory for authentication and provisioning users, groups and user attributes. Admins can configure this application to connect to one or more LDAP directories or Active Directories via an LDAP interface. Attributes such as user quota, email, avatar pictures, group memberships and more can be pulled into ownCloud from a directory with the appropriate queries and filters.

owncloud/oauth2

Code from: https://github.com/owncloud/oauth2

Application for using OAuth 2.0 in ownCloud

owncloud/openidconnect

Code from: https://github.com/owncloud/openidconnect

OpenID Connect integration for ownCloud 10

owncloud/activity

Code from: https://github.com/owncloud/activity

Provides an activity feed showing your file changes and other interesting things going on in your ownCloud.

owncloud/impersonate

Code from https://github.com/owncloud/impersonate

Administrators can impersonate the identity of other users. This is usually used to handle support cases.

owncloud/updater

Code from: https://github.com/owncloud/updater

owncloud/files

Code from: https://github.com/owncloud/core/tree/master/apps/files

This is the app for owncloud file management.

Reward

Systemic issues

1st report100% 2nd report100% 3rd report75% 4th report50% 5th report25% 6th+ report10%

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:

More info

Scopes

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Medium $1,000

High $3,000

Critical $5,000

Out of scopes

All domains or subdomains not listed in the above list of 'Scopes'
*.owncloud.org
*.owncloud.com

Vulnerability types

Qualifying vulnerabilities

SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Remote Code Execution (RCE)
Insecure Direct Object Reference (IDOR)
Horizontal and vertical privilege escalation
Authentication bypass & broken authentication
Business Logic Errors vulnerability with real security impact
Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
Cross-Origin Resource Sharing (CORS) with real security impact
Cross-site Request Forgery (CSRF) with real security impact
Open Redirect
Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes
Broken cryptographic implementation with working exploit
Cleartext Transmission of Sensitive Information (passwords etc.)

Non-qualifying vulnerabilities

Broken Link/Social media Hijacking
Tabnabbing
Missing cookie flags
Content/Text injections
Clickjacking/UI redressing
Denial of Service (DoS) attacks
Recently disclosed CVEs (less than 30 days sinces patch release)
CVEs without exploitable vulnerabilities and PoC
Open ports or services without exploitable vulnerabilities and PoC
Social engineering of staff or contractors
Presence of autocomplete attribute on web forms
Vulnerabilities affecting outdated browsers or platforms
Self-XSS or XSS that cannot be used to impact other users
Any hypothetical flaw or best practices without exploitable vulnerabilities and PoC
SSL/TLS issues (e.g. expired certificates, best practices)
Unexploitable vulnerabilities (e.g. Self-XSS, XSS or Open Redirect through HTTP headers...)
Reports with attack scenarios requiring MITM or physical access to victim's device
Missing security-related HTTP headers which do not lead directly to an exploitable vulnerability and PoC
Low severity Cross-Site Request Forgery (CSRF) (e.g. Unauthenticated / Logout / Login / Products cart updates...)
Invalid or missing email security records (e.g. SPF, DKIM, DMARC)
Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
Disclosure of information without exploitable vulnerabilities and PoC (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets, EXIF Metadata, Origin IP)
CSV injection
Malicious file upload (e.g. EICAR files, .EXE)
HTTP Strict Transport Security Header (HSTS)
Subdomain takeover without a full exploitable vulnerability and PoC or not applicable to the scope
Blind SSRF without exploitable vulnerabilities and PoC (e.g. DNS & HTTP pingback, Wordpress XMLRPC)
Lack or bypass of rate-limiting, brute-forcing or captcha issues
User enumeration (e.g. email, alias, GUID, phone number, common CMS endpoints)
Weak password policies (e.g. length, complexity, reuse)
Ability to spam users (email / SMS / direct messages flooding)
Disclosed or misconfigured public API keys (e.g. Google Maps, Firebase, analytics tools...)
Password reset token sent via HTTP referer to external services (e.g. analytics / ads platforms)
Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
Pre-account takeover (e.g. account creation via oAuth)
GraphQL Introspection is enabled
Non sensitive information disclosure: stack traces, path disclosure, directory listings, software versions, etc
Credential stuffing
Logout and other instances of low-severity Cross-Site Request Forgery
Enumeration/account oracles: possibility to enumerate phone number, email, GUID, etc. and receive back a message indicating it exists
Missing security-related HTTP headers which do not lead directly to a vulnerability
Race condition

Reports of leaks and exposed credentials

More info

Type of leak Source of leak is in-scope Source of leak belongs to the Organization and is out-of-scope Source of leak does not belong to the Organization and is out-of-scope

Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not eligible

Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not eligible Not eligible

Hunting requirements

Account access

No test accounts will be provided.

User agent

Please append to your user-agent header the following value: ' -BugBounty-owncloud-31337 '.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see [https://helpcenter.yeswehack.io/hunter/hunter-collaboration](help center). Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account. /programs/owncloud-bug-bounty-program/create-report