Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
17/06/2016
Nextcloud logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 $ 

Nextcloud

As an open-source project we know and believe in the well-known Linus' law:

Given enough eyeballs, all bugs are shallow

We're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our dedicated security page __.

Program policy

We know how valuable your time is and employ a "No bullshit policy" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:

  1. Bugs within Nextcloud server and it's packaged components (see scope below for all qualifying and packaged components)
  2. Bugs within the mobile iOS and Android sync clients
  3. Bugs within the desktop sync clients for Mac, Windows, and Linux

A bug is for us something that actively allows an attacker to escalate their privileges. Something like "Attacker can delete arbitrary files of other users" is fine, "Missing X-Frame-Options on the download servers" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)

Found a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our threat model __before.

Found a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.

We believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.

Rewards

Our rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:

Impact | Definition | Highest possible reward
---|---|---
Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE) | $10,000
High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $4,000
Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1500
Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $500

In Scope

Scope Type Scope Name
android_application

com.nextcloud.client

android_application

https://play.google.com/store/apps/details?id=com.nextcloud.talk2 __

android_application

https://play.google.com/store/apps/details?id=com.nextcloud.client __

ios_application

it.twsweb.Nextcloud

ios_application

com.nextcloud.Talk

web_application

https://download.nextcloud.com

web_application

https://nextcloud.com

web_application

https://portal.nextcloud.com

web_application

https://support.nextcloud.com

web_application

https://stats.nextcloud.com

web_application

https://static.apps.nextcloud.com

web_application

https://crm.nextcloud.com

web_application

https://scan.nextcloud.com/

web_application

https://apps.nextcloud.com/

web_application

https://lookup.nextcloud.com

web_application

https://surveyserver.nextcloud.com

web_application

https://push-notifications.nextcloud.com

web_application

https://lists.nextcloud.com

web_application

https://docs.nextcloud.com

web_application

https://knowledge.nextcloud.com

web_application

https://projects.nextcloud.com

web_application

https://usercontent.apps.nextcloud.com

web_application

https://help.nextcloud.com

web_application

https://logs.nextcloud.com

web_application

https://auth.nextcloud.com

web_application

https://newsletter.nextcloud.com

web_application

https://pushfeed.nextcloud.com

web_application

https://customerupdates.nextcloud.com

web_application
web_application
web_application

https://updates.nextcloud.com

web_application
web_application
web_application

https://github.com/nextcloud/survey_client __

web_application

https://github.com/nextcloud/gallery __

web_application

https://github.com/nextcloud/files_accesscontrol __

web_application

https://github.com/nextcloud/server __

web_application

https://github.com/nextcloud/3rdparty __

web_application

https://github.com/nextcloud/updater __

web_application

https://github.com/nextcloud/logreader __

web_application

https://github.com/nextcloud/spreed __

web_application

https://github.com/nextcloud/nextcloud_announcements __

web_application

https://github.com/nextcloud/serverinfo __

web_application

https://github.com/nextcloud/files_retention __

web_application

https://github.com/nextcloud/files_automatedtagging __

web_application

https://github.com/nextcloud/user_saml __

web_application

https://github.com/nextcloud/password_policy __

web_application

https://github.com/nextcloud/notifications __

web_application

https://github.com/nextcloud/firstrunwizard __

web_application

https://github.com/nextcloud/files_videoplayer __

web_application

https://github.com/nextcloud/files_texteditor __

web_application

https://github.com/nextcloud/files_pdfviewer __

web_application

https://github.com/nextcloud/activity __

web_application

https://nextcloud.com/install/#install-clients __

web_application

https://itunes.apple.com/app/nextcloud/id1125420102 __

web_application

https://itunes.apple.com/app/id1296825574 __

web_application

https://github.com/nextcloud/survey_server __

web_application

https://github.com/nextcloud/survey_client __

web_application

https://github.com/nextcloud/nextcloud.com __

web_application

https://zammad.com/contact __

web_application

http://www.keycloak.org/ __

web_application

http://www.keycloak.org/ __

web_application

https://github.com/nextcloud/documentation __

web_application

https://github.com/nextcloud/appstore __

web_application

https://github.com/nextcloud/lookup-server/ __

web_application

http://www.keycloak.org/ __

web_application

https://github.com/nextcloud/notifications __

web_application

http://www.keycloak.org/ __

web_application

https://github.com/nextcloud/appstore __

web_application

http://www.keycloak.org/ __

web_application

http://www.keycloak.org/ __

web_application

https://github.com/nextcloud/usercontent.apps.nextcloud.com __

web_application
web_application

http://www.keycloak.org/ __

web_application

https://github.com/nextcloud/announcer __

web_application

https://github.com/nextcloud/nextcloud_announcements __

Out of Scope

Scope Type Scope Name
web_application

https://cloud.nextcloud.com

web_application

https://drone.nextcloud.com

web_application

https://demo.nextcloud.com

web_application

https://conf.nextcloud.com

web_application

https://sentry.nextcloud.com

web_application

try.nextcloud.com

web_application

https://github.com/drone/drone __

web_application

https://demo.nextcloud.com __

web_application

eventyay page __

web_application

the responsible contacts __

web_application

https://try.nextcloud.com __

web_application

https://sentry.io/security/ __

web_application

https://cloud.nextcloud.com __


The progam has been crawled by Firebounty on 2016-06-17 and updated on 2019-09-25, 152 reports have been received so far.

FireBounty © 2015-2019

Legal notices