As an open-source company, we believe in transparency and the importance of community. With 800+ contributors and over 10,000 different ticket participants, we are proud to be the most downloaded open source project for file sync and share.
We want to take the security of ownCloud one step further. We’re the company behind the ownCloud Project and we are calling upon security experts across the globe to help us.
The ownCloud Security Bug Bounty Program
The ownCloud Security Bug Bounty Program rewards community members for finding security bugs in the ownCloud Server. When a security bug is identified, it is either submitted directly via HackerOne (https://hackerone.com/owncloud) or, if the submitter chooses not to get a bounty, emailed to the ownCloud security mailing list (email@example.com). If the bug is identified as meaningful and qualifies for the program, and the submitter has followed the Disclosure Policy, the bug bounty is paid out on the following schedule by bug severity:
- Critical ($5000)
Giving the adversary complete control over the server. (RCE / SQL Injection / …)
- High ($2000)
Gaining access to complete user data of any other user. (i.e. Auth Bypass) or SQL Injection with critical effects
- Medium ($750)
Allowing the adversary to gain complete control over a single user session. (Stored XSS with CSP bypass / Critical CSRF / …)
- Low ($250)
Vulnerabilities that can only be exploited in very rare cases or have marginal impact. (High amount of unlikely user interaction / …)
- Very Low (Swag)
Vulnerabilities that affects our servers (Trace Method on, Directory Listening…)
The determination of the severity of the bug is at the discretion of ownCloud and the ownCloud security team. All bounties will be paid using the HackerOne platform, a site that manages bug bounty payouts and security contacts for software vendors.
Eligible ownCloud Components
Only ownCloud Server, the Enterprise Edition applications, the official ownCloud iOS and Android mobile apps and the Windows, Mac and Linux desktop clients are eligible for a bug bounty payout.
While there are hundreds of ownCloud community apps out there, and even apps for free or pay in the various app stores, ownCloud is not able to cover the entire server and mobile app spectrum in this bug bounty program. While we will accept reports of bugs on these other components not officially offered by ownCloud, Inc, we cannot offer a bounty for elements outside of those listed above. A more through list of the components eligible for the program, including a list of vulnerability types by component that are eligible for the bug bounty program, is available below.
Please use the following guidelines for disclosing security bugs:
- Inform ownCloud upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party
- Only test for vulnerabilities on your own installation of ownCloud server, desktop or related mobile applications
- Do not publish information related to the vulnerability until ownCloud has made an announcement to the community
In case of duplicate reports we only reward the first reporter of the vulnerability. Public disclosure prior to resolution and without explicit confirmation by the ownCloud Security Team will result in disqualification for the bounty program.
ownCloud Server Applications in Scope
Please understand that while ownCloud GmbH is the company supporting the development of ownCloud and the ownCloud community, we are only being able to pay out for vulnerabilities affecting customers – which include ownCloud Server, supported Enterprise Edition applications, mobile apps and desktop clients. To give you an understanding of eligible components we have compiled a list below.
We accept reports for other ownCloud components not covered by the bug bounty program, but will not be able award bounties. If you are wondering whether a component is in scope let firstname.lastname@example.org know. Otherwise, please submit your bug to github.com/owncloud. For transparency reasons, we have published a list of eligible components at our HackerOne page.
Frequently Asked Questions
Why do you exclude the ownCloud websites?
For the time being we want to focus our efforts on ownCloud Server instead of vulnerabilities within our website. However, if you find a security bug in our website we welcome any report, though we cannot offer a monetary incentive.
Why is this Security Bug Bounty Program excluding “Community Edition” apps?
ownCloud Server is a platform at the core of all ownCloud installation, whether free or paid. This benefits everyone, including the ownCloud community, ownCloud customers and ownCloud. Inc. However, there are many apps that have been built for ownCloud that we do not know, have not inspected, do not maintain, and do not commercially support. For this reason, we cannot stand behind the quality of these apps or offer a bounty on these apps at this time.
How much time will it take you to fix a vulnerability?
We have pledged to fix any vulnerability within 90 days after report. Usually we are able to have a patch within less than 30 days. We may however in case of more complicated vulnerabilities need some more time.
Do I qualify if I contributed the vulnerable code or am an employee of ownCloud?
Neither contributions by employees of ownCloud nor contributions from persons that contributed the vulnerable code qualify for the bounty program.
Is there a limit to the number of bugs I can submit?
There is no limitation. Please note that invalid submissions do decrease your overall rating on HackerOne. Additionally, if you report several issues with closely related root causes, we may choose to pay only one bounty.
Where should I report bugs without security implication or hardening guidance?
Please report all non-security bugs as well as general hardening advice at https://github.com/owncloud/core.
A Better ownCloud for All
No technology is perfect, and ownCloud, Inc. believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We created the ownCloud Security Bug Bounty Program to reward security researchers for finding issues in the ownCloud Server, and in so doing help strengthen ownCloud Server for customers, users and the community.Get started
Please fill out the form below to get your download.