Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
17/06/2016
Nextcloud logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 $ 

In Scope

Scope Type Scope Name
android_application com.nextcloud.talk2
android_application com.nextcloud.client
android_application https://play.google.com/store/apps/details?id=com.nextcloud.talk2 __
android_application https://play.google.com/store/apps/details?id=com.nextcloud.client __
ios_application it.twsweb.Nextcloud
ios_application com.nextcloud.Talk
ios_application https://itunes.apple.com/app/nextcloud/id1125420102 __
ios_application https://itunes.apple.com/app/id1296825574 __
undefined nextcloud/survey_client
undefined nextcloud/gallery
undefined nextcloud/files_accesscontrol
undefined nextcloud/server
undefined nextcloud/3rdparty
undefined nextcloud/updater
undefined nextcloud/logreader
undefined nextcloud/spreed
undefined nextcloud/nextcloud_announcements
undefined nextcloud/serverinfo
undefined nextcloud/files_retention
undefined nextcloud/files_automatedtagging
undefined nextcloud/user_saml
undefined nextcloud/password_policy
undefined nextcloud/notifications
undefined nextcloud/firstrunwizard
undefined nextcloud/files_videplayer
undefined nextcloud/files_texteditor
undefined nextcloud/files_pdfviewer
undefined nextcloud/activity
undefined Desktop Client
undefined https://github.com/nextcloud/survey_client __
undefined https://github.com/nextcloud/gallery __
undefined https://github.com/nextcloud/files_accesscontrol __
undefined https://github.com/nextcloud/server __
undefined https://github.com/nextcloud/3rdparty __
undefined https://github.com/nextcloud/updater __
undefined https://github.com/nextcloud/logreader __
undefined https://github.com/nextcloud/spreed __
undefined https://github.com/nextcloud/nextcloud_announcements __
undefined https://github.com/nextcloud/serverinfo __
undefined https://github.com/nextcloud/files_retention __
undefined https://github.com/nextcloud/files_automatedtagging __
undefined https://github.com/nextcloud/user_saml __
undefined https://github.com/nextcloud/password_policy __
undefined https://github.com/nextcloud/firstrunwizard __
undefined https://github.com/nextcloud/files_videoplayer __
undefined https://github.com/nextcloud/files_texteditor __
undefined https://github.com/nextcloud/files_pdfviewer __
undefined https://github.com/nextcloud/activity __
undefined https://nextcloud.com/install/#install-clients __
web_application https://customerupdates.nextcloud.com
web_application https://updates.nextcloud.com
web_application https://download.nextcloud.com
web_application https://nextcloud.com
web_application https://portal.nextcloud.com
web_application https://support.nextcloud.com
web_application https://stats.nextcloud.com
web_application https://static.apps.nextcloud.com
web_application https://crm.nextcloud.com
web_application https://scan.nextcloud.com/
web_application https://apps.nextcloud.com/
web_application https://lookup.nextcloud.com
web_application https://surveyserver.nextcloud.com
web_application https://push-notifications.nextcloud.com
web_application https://lists.nextcloud.com
web_application https://docs.nextcloud.com
web_application https://knowledge.nextcloud.com
web_application https://projects.nextcloud.com
web_application https://usercontent.apps.nextcloud.com
web_application https://help.nextcloud.com
web_application https://logs.nextcloud.com
web_application https://auth.nextcloud.com
web_application https://newsletter.nextcloud.com
web_application https://pushfeed.nextcloud.com
web_application Client updater server:
web_application https://github.com/nextcloud/client_updater_server
web_application Server updater server:
web_application https://github.com/nextcloud/updater_server
web_application Client updater server:
web_application https://github.com/nextcloud/client_updater_server
web_application Server updater server:
web_application https://github.com/nextcloud/updater_server
web_application While updates and downloads are cryptographically signed this is still a core part of Nextcloud. We thus pay out monetary rewards for issues affecting the integrity of the system. (e.g. allowing an attacker replacing arbitrary files on the system)
web_application https://github.com/nextcloud/notifications __
web_application https://github.com/nextcloud/survey_server __
web_application https://github.com/nextcloud/nextcloud.com __
web_application Portal with support answers by the Nextcloud support team.
web_application https://zammad.com/contact __
web_application http://www.keycloak.org/ __
web_application http://www.keycloak.org/ __
web_application https://github.com/nextcloud/documentation __
web_application Runs the web interface for the software used by the Nextcloud security scanner.
web_application https://github.com/nextcloud/appstore __
web_application https://github.com/nextcloud/lookup-server/ __
web_application http://www.keycloak.org/ __
web_application https://github.com/nextcloud/notifications __
web_application http://www.keycloak.org/ __
web_application https://github.com/nextcloud/appstore __
web_application http://www.keycloak.org/ __
web_application http://www.keycloak.org/ __
web_application https://github.com/nextcloud/usercontent.apps.nextcloud.com __
web_application https://hackerone.com/discourse
web_application http://www.keycloak.org/ __
web_application https://github.com/nextcloud/announcer __

Out of Scope

Scope Type Scope Name
web_application https://cloud.nextcloud.com
web_application https://drone.nextcloud.com
web_application https://demo.nextcloud.com
web_application https://conf.nextcloud.com
web_application https://sentry.nextcloud.com
web_application https://cloud.nextcloud.com __
web_application https://github.com/drone/drone __
web_application https://demo.nextcloud.com __
web_application eventyay page __
web_application https://sentry.io/security/ __
web_application https://cloud.nextcloud.com __

Nextcloud

As an open-source project we know and believe in the well-known Linus' law:

Given enough eyeballs, all bugs are shallow

We're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our dedicated security page __.

Program policy

We know how valuable your time is and employ a "No bullshit policy" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:

  1. Bugs within Nextcloud server and it's packaged components (see scope below for all qualifying and packaged components)
  2. Bugs within the mobile iOS and Android sync clients
  3. Bugs within the desktop sync clients for Mac, Windows, and Linux

A bug is for us something that actively allows an attacker to escalate their privileges. Something like "Attacker can delete arbitrary files of other users" is fine, "Missing X-Frame-Options on the download servers" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)

Found a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our threat model __before.

Found a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.

We believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.

Rewards

Our rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:

Impact | Definition | Highest possible reward
---|---|---
Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE) | $5,000
High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000
Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $750
Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250

FireBounty © 2015-2019

Legal notices