en
Contact
ownCloud on GitHub
Blog
Search
Close

How to Report a Vulnerability in ownCloud Securely

How to Report a Vulnerability in ownCloud Securely. Learn how to report a security vulnerability to ownCloud via official channels like VDP or Bug Bounty. Follow guidelines and submit detailed reports.

Security Disclosure Policy

ownCloud — a Kiteworks company

The security of ownCloud and its users is a core responsibility.
We operate a formal Vulnerability Disclosure Policy and Bug Bounty Program to ensure that security issues are identified, reported, and resolved effectively.

How to Report a Vulnerability

Report security vulnerabilities through our official channels:

Do not report security vulnerabilities through public GitHub issues, forum posts, or social media. Public disclosure of unpatched vulnerabilities puts users at risk and disqualifies reports from the bug bounty program.

    What to Include in Your Report

    A useful vulnerability report includes at minimum:

    • A clear description of the vulnerability and its potential impact.
    • The affected product and version (oCIS, Desktop Client, Android, iOS, or ownCloud Server 10.x).
    • Steps to reproduce the issue, ideally with a proof of concept.
    • Your assessment of severity (CVSS score if possible).

    The more detail you provide, the faster we can triage and resolve the issue.

       

      Our Commitment to You

      When you report a vulnerability through our official channels, we commit to the following:

      • Assessment. A member of the ownCloud security team will evaluate the vulnerability, determine its impact, and classify its severity.
      • Resolution. We will develop and test a fix, apply it to the relevant branches, and package it in the next security release. For critical issues, we may issue an out-of-band release.

      Rules of Engagement

      We ask that security researchers follow these guidelines:

      • Only test for vulnerabilities on your own installation of ownCloud.
      • Do not access, modify, or delete data belonging to other users.
      • Do not perform denial-of-service attacks against ownCloud infrastructure.
      • Do not publish vulnerability details until ownCloud has issued a fix and public advisory.
      • Allow reasonable time for the security team to respond and remediate.
      • If you are unsure whether something is in scope, ask us first at moc.duolcnwo@ytiruces.

      Bug Bounty Program

      Our bug bounty program on YesWeHack rewards security researchers for qualifying vulnerabilities based on severity. Severity is determined at the discretion of the ownCloud security team. Bounties are paid through the YesWeHack platform. Vulnerabilities requiring administrator privileges (CVSS PR:H) are generally capped at High severity unless chained with a privilege escalation.

      Out of Scope

      The following are generally out of scope for our bug bounty program:

      • Network-level attacks (DDoS, MitM without application-layer impact).
      • Social engineering or phishing attacks on ownCloud staff.
      • Issues in third-party applications not maintained by ownCloud (report these to the respective maintainer).
      • Missing security headers with no demonstrable impact.
      • SPF/DKIM/DMARC misconfigurations.
      • Session expiration policies.
      • Reports from automated scanners without validated proof of concept.

      Supply Chain and Dependency Vulnerabilities

      If you discover a vulnerability in a dependency used by ownCloud a library, container image, or build tool please report it through our standard channels. We will coordinate disclosure with the upstream maintainer where appropriate.

      ownCloud monitors its supply chain through automated scanning and maintains an SBOM (Software Bill of Materials) process.

        Contact

        • VDP / Bug Bounty: security.owncloud.com / YesWeHack
        • Security Team Email: moc.duolcnwo@ytiruces
        • OSPO Contact: moc.skrowetik@opso