Security is very important to us.
If you believe you have found a security vulnerability that meets our definition of a security vulnerability, please report is as described below.
Please review our threat model and accepted risks to learn what is currently considered a security vulnerability versus expected behavior. And review what is considered in scope or bounty eligible.
You can expect a response within 24 hours in most cases.
** Please do not report security vulnerabilities through public GitHub issues. **
If you have discovered a security matter with Nextcloud, please read our responsible disclosure guidelines and contact us at hackerone.com/nextcloud.
Your report should include:
- Product version
- A vulnerability description
- Reproduction steps
- Any other details you think are likely to be important
You should receive an initial acknowledgement within 24 hours in most cases.
A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, and coordinate a fix.
The fix will be applied to the master branch, tested, and packaged in the next security release.
The vulnerability will be publicly announced after the release. Finally, your name will be added
to the hall of fame as a thank you from the entire Nextcloud
community.
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details on past bounty ranges can be found at hackerone.com/nextcloud.
Past advisories can be viewed at https://github.com/nextcloud/security-advisories/security/advisories.
The latest three major release versions of Nextcloud are currently being supported with security updates. Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
Please visit https://nextcloud.com/security/ for further information about Nextcloud security. Please visit https://nextcloud.com/security/threat-model for our threat model and accepted risks.