Securing your ownCloud server
For server owners, our documentation has a section with best practices and tips on securing an ownCloud server.
Hall of fame
People who helped make ownCloud more secure. Thank you!
If you’ve discovered a security issue with ownCloud, please read our responsible disclosure guidelines and contact us at hackerone. Your report should include, at least the following three things:
- Product version
- A vulnerability description
- Reproduction steps
A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. The fix will be applied to the master branch, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added to the hall of fame as a thank you from the entire ownCloud community.
Responsible Disclosure Guidelines
The ownCloud community kindly requests that you comply with the following guidelines when researching and reporting security vulnerabilities:
- Only test for vulnerabilities on your own install of ownCloud Server
- Confirm the vulnerability applies to a supported product version
- Share vulnerabilities in detail only with the security team
- Allow reasonable time for a response from the security team
- Do not publish information related to the vulnerability until ownCloud has made an announcement to the community
Out of scope
Usually, the following types of bugs are out of scope from our security program:
- Network level vulnerabilities (e.g. DDoS)
- Bugs on infrastructure
Supported Product Versions
ownCloud Desktop Client:
Vulnerabilities in third-party applications should also be reported to the security team. The security team is not responsible for the security of these apps, but will attempt to contact the 3rd party app maintainer and then take proper actions.
Bypassing File Firewall (oC-SA-2020-002)
Public-Link Password-Bypass via Image-Previews
SSRF in “Add to your ownCloud” functionality
Deleting received group share for whole group
Possibility to extend internal-share permissions using the API
XSS in Error Page
Share tokens for public calendars disclosed
Normal user can somehow make admin to delete shared folders
ownCloud Desktop Client
Local Code Injection
ownCloud Mobile Apps
4/7/2016 vAndroid 1.9.1
Bypass of application specific PIN
8/31/2015 viOS 3.4.4
Improper validation of certificates within the iOS application
8/3/2015 viOS 3.4.4
Credentials potentially leaked to other configured ownCloud instance
Your secure file platform
Boost your productivity and enable collaboration within your organization.
The backbone of secure file sharing
Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.
Download Mobile Apps
Bring your productivity game to the next level. Download our Android or iOS app from the app stores.