Reward
50 $
In Scope
| Scope Type | Scope Name |
|---|---|
| android_application | com.nextcloud.talk2 |
| android_application | com.nextcloud.client |
| android_application | https://play.google.com/store/apps/details?id=com.nextcloud.talk2 __ |
| android_application | https://play.google.com/store/apps/details?id=com.nextcloud.client __ |
| ios_application | it.twsweb.Nextcloud |
| ios_application | com.nextcloud.Talk |
| ios_application | https://itunes.apple.com/app/nextcloud/id1125420102 __ |
| ios_application | https://itunes.apple.com/app/id1296825574 __ |
| undefined | nextcloud/survey_client |
| undefined | nextcloud/gallery |
| undefined | nextcloud/files_accesscontrol |
| undefined | nextcloud/server |
| undefined | nextcloud/3rdparty |
| undefined | nextcloud/updater |
| undefined | nextcloud/logreader |
| undefined | nextcloud/spreed |
| undefined | nextcloud/nextcloud_announcements |
| undefined | nextcloud/serverinfo |
| undefined | nextcloud/files_retention |
| undefined | nextcloud/files_automatedtagging |
| undefined | nextcloud/user_saml |
| undefined | nextcloud/password_policy |
| undefined | nextcloud/notifications |
| undefined | nextcloud/firstrunwizard |
| undefined | nextcloud/files_videplayer |
| undefined | nextcloud/files_texteditor |
| undefined | nextcloud/files_pdfviewer |
| undefined | nextcloud/activity |
| undefined | Desktop Client |
| undefined | https://github.com/nextcloud/survey_client __ |
| undefined | https://github.com/nextcloud/gallery __ |
| undefined | https://github.com/nextcloud/files_accesscontrol __ |
| undefined | https://github.com/nextcloud/server __ |
| undefined | https://github.com/nextcloud/3rdparty __ |
| undefined | https://github.com/nextcloud/updater __ |
| undefined | https://github.com/nextcloud/logreader __ |
| undefined | https://github.com/nextcloud/spreed __ |
| undefined | https://github.com/nextcloud/nextcloud_announcements __ |
| undefined | https://github.com/nextcloud/serverinfo __ |
| undefined | https://github.com/nextcloud/files_retention __ |
| undefined | https://github.com/nextcloud/files_automatedtagging __ |
| undefined | https://github.com/nextcloud/user_saml __ |
| undefined | https://github.com/nextcloud/password_policy __ |
| undefined | https://github.com/nextcloud/firstrunwizard __ |
| undefined | https://github.com/nextcloud/files_videoplayer __ |
| undefined | https://github.com/nextcloud/files_texteditor __ |
| undefined | https://github.com/nextcloud/files_pdfviewer __ |
| undefined | https://github.com/nextcloud/activity __ |
| undefined | https://nextcloud.com/install/#install-clients __ |
| web_application | https://customerupdates.nextcloud.com |
| web_application | https://updates.nextcloud.com |
| web_application | https://download.nextcloud.com |
| web_application | https://nextcloud.com |
| web_application | https://portal.nextcloud.com |
| web_application | https://support.nextcloud.com |
| web_application | https://stats.nextcloud.com |
| web_application | https://static.apps.nextcloud.com |
| web_application | https://crm.nextcloud.com |
| web_application | https://scan.nextcloud.com/ |
| web_application | https://apps.nextcloud.com/ |
| web_application | https://lookup.nextcloud.com |
| web_application | https://surveyserver.nextcloud.com |
| web_application | https://push-notifications.nextcloud.com |
| web_application | https://lists.nextcloud.com |
| web_application | https://docs.nextcloud.com |
| web_application | https://knowledge.nextcloud.com |
| web_application | https://projects.nextcloud.com |
| web_application | https://usercontent.apps.nextcloud.com |
| web_application | https://help.nextcloud.com |
| web_application | https://logs.nextcloud.com |
| web_application | https://auth.nextcloud.com |
| web_application | https://newsletter.nextcloud.com |
| web_application | https://pushfeed.nextcloud.com |
| web_application | Client updater server: |
| web_application | https://github.com/nextcloud/client_updater_server |
| web_application | Server updater server: |
| web_application | https://github.com/nextcloud/updater_server |
| web_application | Client updater server: |
| web_application | https://github.com/nextcloud/client_updater_server |
| web_application | Server updater server: |
| web_application | https://github.com/nextcloud/updater_server |
| web_application | While updates and downloads are cryptographically signed this is still a core part of Nextcloud. We thus pay out monetary rewards for issues affecting the integrity of the system. (e.g. allowing an attacker replacing arbitrary files on the system) |
| web_application | https://github.com/nextcloud/notifications __ |
| web_application | https://github.com/nextcloud/survey_server __ |
| web_application | https://github.com/nextcloud/nextcloud.com __ |
| web_application | Portal with support answers by the Nextcloud support team. |
| web_application | https://zammad.com/contact __ |
| web_application | http://www.keycloak.org/ __ |
| web_application | http://www.keycloak.org/ __ |
| web_application | https://github.com/nextcloud/documentation __ |
| web_application | Runs the web interface for the software used by the Nextcloud security scanner. |
| web_application | https://github.com/nextcloud/appstore __ |
| web_application | https://github.com/nextcloud/lookup-server/ __ |
| web_application | http://www.keycloak.org/ __ |
| web_application | https://github.com/nextcloud/notifications __ |
| web_application | http://www.keycloak.org/ __ |
| web_application | https://github.com/nextcloud/appstore __ |
| web_application | http://www.keycloak.org/ __ |
| web_application | http://www.keycloak.org/ __ |
| web_application | https://github.com/nextcloud/usercontent.apps.nextcloud.com __ |
| web_application | https://hackerone.com/discourse |
| web_application | http://www.keycloak.org/ __ |
| web_application | https://github.com/nextcloud/announcer __ |
Out of Scope
| Scope Type | Scope Name |
|---|---|
| web_application | https://cloud.nextcloud.com |
| web_application | https://drone.nextcloud.com |
| web_application | https://demo.nextcloud.com |
| web_application | https://conf.nextcloud.com |
| web_application | https://sentry.nextcloud.com |
| web_application | https://cloud.nextcloud.com __ |
| web_application | https://github.com/drone/drone __ |
| web_application | https://demo.nextcloud.com __ |
| web_application | eventyay page __ |
| web_application | https://sentry.io/security/ __ |
| web_application | https://cloud.nextcloud.com __ |
Nextcloud
As an open-source project we know and believe in the well-known Linus' law:
Given enough eyeballs, all bugs are shallow
We're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our dedicated security page __.
We know how valuable your time is and employ a "No bullshit policy" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:
A bug is for us something that actively allows an attacker to escalate their privileges. Something like "Attacker can delete arbitrary files of other users" is fine, "Missing X-Frame-Options on the download servers" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)
Found a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our threat model __before.
Found a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.
We believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.
Our rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:
Impact | Definition | Highest possible reward
---|---|---
Critical | Gaining remote code execution on the server as a non-admin user.
(i.e. RCE) | $5,000
High | Gaining access to complete user data of any other user. (i.e. Auth
Bypass) | $2,000
Medium | Limited disclosure of user data or attacks granting access to a
single users' user session. (i.e. XSS with CSP bypass) | $750
Low | Very limited disclosure of user data or attacks involving a very high
unlikely amount of user interaction. | $250
FireBounty © 2015-2019
