I’m very excited to announce the new ownCloud Security Bug Bounty Program. This program will utilize the creativity and skill of the security research community to take the security of ownCloud to the next level. As an open-source company, ownCloud believes in transparency and the importance of community. With 800+ contributors and over 10,000 different ticket participants, ownCloud is proud to be the most downloaded open source project for file sync and share.
Being able to offer secure software is a top priority here at ownCloud. In fact, we already have security professionals on the team, and regularly pass independent security audits and penetration tests to augment our internal security capabilities.
We realize that no technology is perfect, and believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We created the ownCloud Security Bug Bounty Program to reward security researchers for finding issues in the ownCloud Server, and in so doing help strengthen ownCloud Server for customers, users and the community.
Bug Bounty Programs (or Vulnerability Reward Programs) are a widely accepted and proven measure to complement internal security processes. Many of the leading technology companies are offering these, including Microsoft, Google, Samsung, Drupal and Github. We’re thrilled to be joining them in pursuing this best practice in securing our software. We are partnering with HackerOne, the leading vulnerability management and bug bounty platform provider to implement our program.
Some additional information about the program:
- What is the maximum bounty? We are offering rewards up to $500 for security vulnerabilities depending on the impact. An up-to-date schedule of payouts can be found on our HackerOne page.
- Where should I report bugs without security implication or hardening guidance? Please report all non-security bugs as well as general hardening advice at https://github.com/owncloud/core.
- Which versions of ownCloud are in scope? The scope for the Security Bug Bounty Program starts with ownCloud version 8.1.2.
- What if I report a duplicate vulnerability? In case of duplicate reports we only reward the first reporter of the vulnerability.
- What applications are in scope? Code shipped within the ownCloud Enterprise Edition is in scope. Please look at our HackerOne page for more information and explicit exclusions. We will also acknowledge reports of ineligible components at HackerOne but not be able to payout rewards for vulnerabilities affecting them.
- What are the other rules? Please take a look at our HackerOne page linked below.
- Where can I report vulnerabilities? We have chosen HackerOne as platform for external security reports: https://hackerone.com/owncloud If you do not want to register at HackerOne please contact firstname.lastname@example.org. We can however only payout bounties using the HackerOne platform.
For more information about the exact scope of the ownCloud Security Bug Bounty Program visit our HackerOne page: https://hackerone.com/owncloud.
If you have any questions about this program, please do not hesitate to reach out to me at email@example.com.