[{"id":3773031,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Important notice ⚠️\n\n## No monetary bounties\n\nPlease note that Nextcloud does not offer monetary bounties for security reports submitted through this program.\n\nDue to the large amount of AI-generated illegitimate reports, we have *temporarily suspended* our paid bounty program and no financial rewards will be awarded for any submissions, regardless of severity.\nWe remain deeply committed to security and to working with the research community. Valid reports will still be triaged, fixed, and publicly acknowledged after disclosure, and reporters will continue to receive recognition through this platform. We greatly appreciate the time and effort that researchers invest in helping us keep Nextcloud secure.\n\nAs you are likely aware, this is an industry-wide challenge and like others, we have been unable to find ways to responsibly handle the massive increase of low quality reports. We hope to be able to restart the program once a reliable approach to filtering out the low-effort reports has been found. We have already engaged with HackerOne on this and will continue to do so.\n\n## AI-generated reports\n\nGiven the high number of generic AI security reports, we are emphasizing the following:\n\n- We accept only issues that you have reproduced yourself, proven by screenshots.\n- Do not submit a report before reproducing the issue.\n\nLow-effort AI-generated reports will be ignored and closed as Spam (-10 reputation) and may lead to your suspension from this program.\n\n# Program policy\n\n- Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.\n- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.\n- Same rule apply to with secrets, keys and credentials.\n- If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.\n- Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.\n- All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.\n- If your report mostly contains \"AI slop reports\" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:\n    - 🔒 Closing your reports as Spam\n    - ⛔ Block you from our program\n\nInstead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n- Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see Scope list for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our program.**)\n    - Please check the top of our wiki for **Current version** to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule\n    - For Apps only the latest version compatible with those Nextcloud Server versions are eligible\n    - Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A\"\n- Bugs within the mobile iOS and Android sync clients\n    - Only the latest version of each client available in the respective store is eligible\n- Bugs within the desktop clients for Mac, Windows, and Linux\n    - Only the latest version of each client is eligible\n\nFor us a bug is something that actively allows an attacker to escalate their privileges. Something like \"*Attacker can delete arbitrary files of other users*\" is fine to be reported, \"*Missing X-Frame-Options on the download servers*\" not so much. At the moment we are also considering \"*Denial of Service*\" out of scope, we will acknowledge you though!\n\nFound a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or app that is not in scope? We will acknowledge the issue and happily accept reports for it via this platform as well.\n\n- Please do not run any Denial of Service attacks against our infrastructure or extract user data.\n- Please do also refrain from using automated testing tools against our infrastructure.\n- Do not disclose bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Disclosure guideline\n\nWe are committed to resolving reported vulnerabilities promptly. Our target is to provide a resolution within **90 days** of triage. We ask reporters not to disclose any details about the vulnerability until a fix has been released or the 90-day resolution window has elapsed. All communication regarding the vulnerability, including status updates, clarifications, and disclosure requests should happen within the HackerOne platform. Please do not reach out through other public or private channels.\n\n# Recognition\n\nWhile we no longer offer monetary rewards, we recognize the contributions of security researchers in the following ways:\n\n- Public acknowledgment on the HackerOne platform\n- Reputation points for valid reports\n- Credit in our security advisories upon disclosure (where applicable and with your consent)\n\nThank you for helping us keep Nextcloud and its users secure.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-22T18:23:05.782Z"},{"id":3772917,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Important notice ⚠️\n\n## No monetary bounties\n\nPlease note that **Nextcloud does not offer monetary bounties** for security reports submitted through this program. We have discontinued our paid bounty program and no financial rewards will be awarded for any submissions, regardless of severity.\n\nWe remain deeply committed to security and to working with the research community. Valid reports will still be triaged, fixed, and publicly acknowledged after disclosure, and reporters will continue to receive recognition through this platform. We greatly appreciate the time and effort that researchers invest in helping us keep Nextcloud secure.\n\n## AI-generated reports\n\nGiven the high number of generic AI security reports, we are emphasizing the following:\n\n- We accept only issues that you have reproduced yourself, proven by screenshots.\n- Do not submit a report before reproducing the issue.\n\nLow-effort AI-generated reports will be ignored and closed as Spam (-10 reputation) and may lead to your suspension from this program.\n\n# Program policy\n\n- Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.\n- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.\n- Same rule apply to with secrets, keys and credentials.\n- If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.\n- Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.\n- All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.\n- If your report mostly contains \"AI slop reports\" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:\n    - 🔒 Closing your reports as Spam\n    - ⛔ Block you from our program\n\nInstead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n- Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see Scope list for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our program.**)\n    - Please check the top of our wiki for **Current version** to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule\n    - For Apps only the latest version compatible with those Nextcloud Server versions are eligible\n    - Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A\"\n- Bugs within the mobile iOS and Android sync clients\n    - Only the latest version of each client available in the respective store is eligible\n- Bugs within the desktop clients for Mac, Windows, and Linux\n    - Only the latest version of each client is eligible\n\nFor us a bug is something that actively allows an attacker to escalate their privileges. Something like \"*Attacker can delete arbitrary files of other users*\" is fine to be reported, \"*Missing X-Frame-Options on the download servers*\" not so much. At the moment we are also considering \"*Denial of Service*\" out of scope, we will acknowledge you though!\n\nFound a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or app that is not in scope? We will acknowledge the issue and happily accept reports for it via this platform as well.\n\n- Please do not run any Denial of Service attacks against our infrastructure or extract user data.\n- Please do also refrain from using automated testing tools against our infrastructure.\n- Do not disclose bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Disclosure guideline\n\nWe are committed to resolving reported vulnerabilities promptly. Our target is to provide a resolution within **90 days** of triage. We ask reporters not to disclose any details about the vulnerability until a fix has been released or the 90-day resolution window has elapsed. All communication regarding the vulnerability, including status updates, clarifications, and disclosure requests should happen within the HackerOne platform. Please do not reach out through other public or private channels.\n\n# Recognition\n\nWhile we no longer offer monetary rewards, we recognize the contributions of security researchers in the following ways:\n\n- Public acknowledgment on the HackerOne platform\n- Reputation points for valid reports\n- Credit in our security advisories upon disclosure (where applicable and with your consent)\n\nThank you for helping us keep Nextcloud and its users secure.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-21T07:49:44.253Z"},{"id":3772547,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Important notice ⚠️\nGiven the high number of generic AI security reports, we are emphasizing the following:\n- We accept only issues that you have reproduced yourself, proven by screenshots.\n- Do not submit a report before reproducing the issue.\n\nLow-effort AI-generated reports will be ignored and closed as Spam (-10 reputation) and may lead to your suspension from this program.\n\n# Program policy\n\n- Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.\n- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.\n- Same rule apply to with secrets, keys and credentials.\n- If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.\n- Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.\n- All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.\n- If your report mostly contains \"AI slop reports\" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:\n    - 🔒 Closing your reports as Spam\n    - 💸 Reducing bounties\n    - ⛔ Block you from our program\n\nInstead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n- Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see Scope list for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our bounty program.**)\n    - Please check the top of our wiki for **Current version** to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule\n    - For Apps only the latest version compatible with those Nextcloud Server versions are eligible\n    - Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A\"\n- Bugs within the mobile iOS and Android sync clients\n    - Only the latest version of each client available in the respective store is eligible\n- Bugs within the desktop clients for Mac, Windows, and Linux\n    - Only the latest version of each client is eligible\n\nFor us a bug is something that actively allows an attacker to escalate their privileges. Something like \"*Attacker can delete arbitrary files of other users*\" is fine to be reported, \"*Missing X-Frame-Options on the download servers*\" not so much. At the moment we are also considering \"*Denial of Service*\" not a reward worthy vulnerability, we will acknowledge you though!\n\nFound a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. These scopes are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or app that is not in scope? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well.\n\n- Please do not run any Denial of Service attacks against our infrastructure or extract user data.\n- Please do also refrain from using automated testing tools against our infrastructure.\n- Do not disclose bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Disclosure guideline\n\nWe are committed to resolving reported vulnerabilities promptly. Our target is to provide a resolution within 90 days of triage. We ask reporters not to disclose any details about the vulnerability until a fix has been released or the 90-day resolution window has elapsed. All communication regarding the vulnerability, including status updates, clarifications, and disclosure requests should happen within the HackerOne platform. Please do not reach out through other public or private channels.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact   | Definition                                                                                                             | Highest possible reward |\n|----------|------------------------------------------------------------------------------------------------------------------------|-------------------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE)                                            | $10,000                 |\n| High     | Gaining access to complete user data of any other user. (i.e. Auth Bypass)                                             | $4,000                  |\n| Medium   | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1,500                  |\n| Low      | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.             | $500                    |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-13T19:29:55.317Z"},{"id":3771705,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Important notice ⚠️\nGiven the high number of generic AI security reports, we are emphasizing the following:\n- We accept only issues that you have reproduced yourself, proven by screenshots.\n- Do not submit a report before reproducing the issue.\n\nLow-effort AI-generated reports will be ignored and closed as Spam (-10 reputation) and may lead to your suspension from this program.\n\n# Program policy\n\n- Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.\n- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.\n- Same rule apply to with secrets, keys and credentials.\n- If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.\n- Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.\n- All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.\n- If your report mostly contains \"AI slop reports\" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:\n    - 🔒 Closing your reports as Spam\n    - 💸 Reducing bounties\n    - ⛔ Block you from our program\n\nInstead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n- Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see Scope list for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our bounty program.**)\n    - Please check the top of our wiki for **Current version** to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule\n    - For Apps only the latest version compatible with those Nextcloud Server versions are eligible\n    - Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A\"\n- Bugs within the mobile iOS and Android sync clients\n    - Only the latest version of each client available in the respective store is eligible\n- Bugs within the desktop clients for Mac, Windows, and Linux\n    - Only the latest version of each client is eligible\n\nFor us a bug is something that actively allows an attacker to escalate their privileges. Something like \"*Attacker can delete arbitrary files of other users*\" is fine to be reported, \"*Missing X-Frame-Options on the download servers*\" not so much. At the moment we are also considering \"*Denial of Service*\" not a reward worthy vulnerability, we will acknowledge you though!\n\nFound a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. These scopes are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or app that is not in scope? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well.\n\n- Please do not run any Denial of Service attacks against our infrastructure or extract user data.\n- Please do also refrain from using automated testing tools against our infrastructure.\n- Do not disclose bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact   | Definition                                                                                                             | Highest possible reward |\n|----------|------------------------------------------------------------------------------------------------------------------------|-------------------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE)                                            | $10,000                 |\n| High     | Gaining access to complete user data of any other user. (i.e. Auth Bypass)                                             | $4,000                  |\n| Medium   | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1,500                  |\n| Low      | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.             | $500                    |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-26T12:24:00.160Z"},{"id":3771662,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Important notice ⚠️\nGiven the high number of generic AI security reports, we are emphasizing the following:\n- We accept only issues that you have reproduced yourself, proven by screenshots.\n- Do not submit a report before reproducing the issue.\n\nLow-effort AI-generated reports will be ignored and closed as Spam (-20 reputation) and may lead to your suspension from this program.\n\n# Program policy\n\n- Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.\n- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.\n- Same rule apply to with secrets, keys and credentials.\n- If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.\n- Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.\n- All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.\n- If your report mostly contains \"AI slop reports\" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:\n    - 🔒 Closing your reports as Spam\n    - 💸 Reducing bounties\n    - ⛔ Block you from our program\n\nInstead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n- Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see Scope list for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our bounty program.**)\n    - Please check the top of our wiki for **Current version** to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule\n    - For Apps only the latest version compatible with those Nextcloud Server versions are eligible\n    - Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A\"\n- Bugs within the mobile iOS and Android sync clients\n    - Only the latest version of each client available in the respective store is eligible\n- Bugs within the desktop clients for Mac, Windows, and Linux\n    - Only the latest version of each client is eligible\n\nFor us a bug is something that actively allows an attacker to escalate their privileges. Something like \"*Attacker can delete arbitrary files of other users*\" is fine to be reported, \"*Missing X-Frame-Options on the download servers*\" not so much. At the moment we are also considering \"*Denial of Service*\" not a reward worthy vulnerability, we will acknowledge you though!\n\nFound a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. These scopes are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or app that is not in scope? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well.\n\n- Please do not run any Denial of Service attacks against our infrastructure or extract user data.\n- Please do also refrain from using automated testing tools against our infrastructure.\n- Do not disclose bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact   | Definition                                                                                                             | Highest possible reward |\n|----------|------------------------------------------------------------------------------------------------------------------------|-------------------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE)                                            | $10,000                 |\n| High     | Gaining access to complete user data of any other user. (i.e. Auth Bypass)                                             | $4,000                  |\n| Medium   | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1,500                  |\n| Low      | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.             | $500                    |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-24T20:14:14.160Z"},{"id":3771521,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Important notice ⚠️\nGiven the high number of generic AI security reports, we are emphasizing the following:\n- We accept only issues that you have reproduced yourself, proofed by screenshots.\n- Do not submit a report before reproducing the issue.\n\nLow-effort AI-generated reports will be ignored and closed as Spam (-20 reputation) and may lead to your suspension from this program.\n\n# Program policy\n\n- Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.\n- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.\n- Same rule apply to with secrets, keys and credentials.\n- If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.\n- Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.\n- All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.\n- If your report mostly contains \"AI slop reports\" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:\n    - 🔒 Closing your reports as Spam\n    - 💸 Reducing bounties\n    - ⛔ Block you from our program\n\nInstead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n- Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see Scope list for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our bounty program.**)\n    - Please check the top of our wiki for **Current version** to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule\n    - For Apps only the latest version compatible with those Nextcloud Server versions are eligible\n    - Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A\"\n- Bugs within the mobile iOS and Android sync clients\n    - Only the latest version of each client available in the respective store is eligible\n- Bugs within the desktop clients for Mac, Windows, and Linux\n    - Only the latest version of each client is eligible\n\nFor us a bug is something that actively allows an attacker to escalate their privileges. Something like \"*Attacker can delete arbitrary files of other users*\" is fine to be reported, \"*Missing X-Frame-Options on the download servers*\" not so much. At the moment we are also considering \"*Denial of Service*\" not a reward worthy vulnerability, we will acknowledge you though!\n\nFound a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. These scopes are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or app that is not in scope? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well.\n\n- Please do not run any Denial of Service attacks against our infrastructure or extract user data.\n- Please do also refrain from using automated testing tools against our infrastructure.\n- Do not disclose bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact   | Definition                                                                                                             | Highest possible reward |\n|----------|------------------------------------------------------------------------------------------------------------------------|-------------------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE)                                            | $10,000                 |\n| High     | Gaining access to complete user data of any other user. (i.e. Auth Bypass)                                             | $4,000                  |\n| Medium   | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1,500                  |\n| Low      | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.             | $500                    |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-23T09:31:41.109Z"},{"id":3771520,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Important notice ⚠️\nGiven the high number of generic AI security reports, we are emphasizing the following:\n- We accept only issues that you have reproduced yourself, proofed by screenshots.\n- Do not submit a report before reproducing the issue.\nLow-effort AI-generated reports will be ignored and closed as Spam (-20 reputation) and may lead to your suspension from this program.\n\n# Program policy\n\n- Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.\n- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.\n- Same rule apply to with secrets, keys and credentials.\n- If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.\n- Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.\n- All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.\n- If your report mostly contains \"AI slop reports\" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:\n    - 🔒 Closing your reports as Spam\n    - 💸 Reducing bounties\n    - ⛔ Block you from our program\n\nInstead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n- Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see Scope list for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our bounty program.**)\n    - Please check the top of our wiki for **Current version** to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule\n    - For Apps only the latest version compatible with those Nextcloud Server versions are eligible\n    - Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A\"\n- Bugs within the mobile iOS and Android sync clients\n    - Only the latest version of each client available in the respective store is eligible\n- Bugs within the desktop clients for Mac, Windows, and Linux\n    - Only the latest version of each client is eligible\n\nFor us a bug is something that actively allows an attacker to escalate their privileges. Something like \"*Attacker can delete arbitrary files of other users*\" is fine to be reported, \"*Missing X-Frame-Options on the download servers*\" not so much. At the moment we are also considering \"*Denial of Service*\" not a reward worthy vulnerability, we will acknowledge you though!\n\nFound a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. These scopes are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or app that is not in scope? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well.\n\n- Please do not run any Denial of Service attacks against our infrastructure or extract user data.\n- Please do also refrain from using automated testing tools against our infrastructure.\n- Do not disclose bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact   | Definition                                                                                                             | Highest possible reward |\n|----------|------------------------------------------------------------------------------------------------------------------------|-------------------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE)                                            | $10,000                 |\n| High     | Gaining access to complete user data of any other user. (i.e. Auth Bypass)                                             | $4,000                  |\n| Medium   | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1,500                  |\n| Low      | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.             | $500                    |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-23T09:13:40.474Z"},{"id":3768822,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\n- Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.\n- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.\n- Same rule apply to with secrets, keys and credentials.\n- If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.\n- Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.\n- All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.\n- If your report mostly contains \"AI slop reports\" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:\n    - 🔒 Closing your reports as Spam\n    - 💸 Reducing bounties\n    - ⛔ Block you from our program\n\nInstead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n- Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see Scope list for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our bounty program.**)\n    - Please check the top of our wiki for **Current version** to see which Nextcloud Server versions are eligible: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule\n    - For Apps only the latest version compatible with those Nextcloud Server versions are eligible\n    - Reports that do not mention a Nextcloud Server version or the App version where applicable will be closed as N/A\"\n- Bugs within the mobile iOS and Android sync clients\n    - Only the latest version of each client available in the respective store is eligible\n- Bugs within the desktop clients for Mac, Windows, and Linux\n    - Only the latest version of each client is eligible\n\nFor us a bug is something that actively allows an attacker to escalate their privileges. Something like \"*Attacker can delete arbitrary files of other users*\" is fine to be reported, \"*Missing X-Frame-Options on the download servers*\" not so much. At the moment we are also considering \"*Denial of Service*\" not a reward worthy vulnerability, we will acknowledge you though!\n\nFound a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. These scopes are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or app that is not in scope? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well.\n\n- Please do not run any Denial of Service attacks against our infrastructure or extract user data.\n- Please do also refrain from using automated testing tools against our infrastructure.\n- Do not disclose bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact   | Definition                                                                                                             | Highest possible reward |\n|----------|------------------------------------------------------------------------------------------------------------------------|-------------------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE)                                            | $10,000                 |\n| High     | Gaining access to complete user data of any other user. (i.e. Auth Bypass)                                             | $4,000                  |\n| Medium   | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1,500                  |\n| Low      | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.             | $500                    |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-27T07:39:38.470Z"},{"id":3764898,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring its security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\n- Keep your reports short and concise, only include the relevant information about what the threat is and how to reproduce it. Do not overexaggerate your reports.\n- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.\n- Same rule apply to with secrets, keys and credentials.\n- If you use large language models (LLMs), please disclose how you used LLMs, and carefully review and edit its output before you send it to us. Please double-check that your reproduction steps actually work and that all the information you include in the report is valid and correct.\n- Don't leak the contents of your report up front to any SaaS solutions, such as AI services like ChatGPT, search engines, browser plugins, or translation engines. If you use services, such as large language models, only use services that run locally on your own hardware to ensure our security information does not leak to the outside world.\n- All reports must be validated manually, submission from automated tools (code analysis tools, AI, …) won't be considered unless manually reviewed and validated from your side.\n- If your report mostly contains \"AI slop reports\" (in other words reports that are generated largely by LLMs) or is auto generated, without careful review from you and thus result in additional work on our side or even invalid reports, we consider the following actions a valid option:\n    - 🔒 Closing your reports as Spam\n    - 💸 Reducing bounties\n    - ⛔ Block you from our program\n\nInstead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n- Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see Scope list for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our bounty program.**)\n- Bugs within the mobile iOS and Android sync clients\n- Bugs within the desktop clients for Mac, Windows, and Linux\n\nFor us a bug is something that actively allows an attacker to escalate their privileges. Something like \"*Attacker can delete arbitrary files of other users*\" is fine to be reported, \"*Missing X-Frame-Options on the download servers*\" not so much. At the moment we are also considering \"*Denial of Service*\" not a reward worthy vulnerability, we will acknowledge you though!\n\nFound a security bug in one of the mentioned scopes? Awesome! Just report it here and we will get back to you. These scopes are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or app that is not in scope? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well.\n\n- Please do not run any Denial of Service attacks against our infrastructure or extract user data.\n- Please do also refrain from using automated testing tools against our infrastructure.\n- Do not disclose bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact   | Definition                                                                                                             | Highest possible reward |\n|----------|------------------------------------------------------------------------------------------------------------------------|-------------------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE)                                            | $10,000                 |\n| High     | Gaining access to complete user data of any other user. (i.e. Auth Bypass)                                             | $4,000                  |\n| Medium   | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1,500                  |\n| Low      | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction.             | $500                    |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-21T10:47:43.228Z"},{"id":3656087,"new_policy":"We're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n1. Bugs within Nextcloud server and apps supported by Nextcloud GmbH (**Note:** see scope below for all qualifying and packaged components. **Third-party apps from the AppStore are not part of our bounty program.**)\n2. Bugs within the mobile iOS and Android sync clients\n3. Bugs within the desktop sync clients for Mac, Windows, and Linux\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nFound a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE) | $10,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $4,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1,500 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $500 |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-03T15:49:05.111Z"},{"id":3656080,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n1. Bugs within Nextcloud server and apps supported by Nextcloud GmbH (see scope below for all qualifying and packaged components)\n2. Bugs within the mobile iOS and Android sync clients\n3. Bugs within the desktop sync clients for Mac, Windows, and Linux\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nFound a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE) | $10,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $4,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1,500 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $500 |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-03T15:18:31.126Z"},{"id":3650849,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n1. Bugs within Nextcloud server and apps supported by Nextcloud GmbH (see scope below for all qualifying and packaged components)\n2. Bugs within the mobile iOS and Android sync clients\n3. Bugs within the desktop sync clients for Mac, Windows, and Linux\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nFound a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE) | $10,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $4,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1500 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $500 |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-06T15:40:07.938Z"},{"id":3619864,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n1. Bugs within Nextcloud server and it's packaged components (see scope below for all qualifying and packaged components)\n2. Bugs within the mobile iOS and Android sync clients\n3. Bugs within the desktop sync clients for Mac, Windows, and Linux\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nFound a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $10,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE) | $10,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $4,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1500 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $500 |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-24T18:22:24.968Z"},{"id":3619191,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n1. Bugs within Nextcloud server and it's packaged components (see scope below for all qualifying and packaged components)\n2. Bugs within the mobile iOS and Android sync clients\n3. Bugs within the desktop sync clients for Mac, Windows, and Linux\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nFound a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE) | $10,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $4,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $1500 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $500 |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-14T08:32:19.087Z"},{"id":3555760,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested in learning how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after:\n\n1. Bugs within Nextcloud server and it's packaged components (see scope below for all qualifying and packaged components)\n2. Bugs within the mobile iOS and Android sync clients\n3. Bugs within the desktop sync clients for Mac, Windows, and Linux\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nFound a security bug in one of the above-mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our websites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed after a grace period.\n\n# Rewards\nOur rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as a non-admin user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-15T11:45:51.901Z"},{"id":3550131,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested to learn how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after: \n\n1. Bugs in the latest published Nextcloud server software ([Download](https://nextcloud.com/install/#instructions-server) / [Source Code](https://github.com/nextcloud/server/tree/stable11?files=1)) (note that \"apps\" you enable from the appstore are not necessarily bundled. Only the one from the \"Not enabled\" category)\n2. Bugs in the Nextcloud Android client ([Download](https://play.google.com/store/apps/details?id=com.nextcloud.client) / [Source Code](https://github.com/nextcloud/android)) (we do exclude bugs that do require the existence of another malicious app on the system)\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nOh, and to make us even happier please go the extra mile to download the software locally. Running tests against our demo infrastructure is something that decreases the experience for other users massively. Whatever you decide to do, do not run any tests against production instances of other people.\n\nFound a security bug in one of above mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our web sites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\n# Rewards\nOur rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as non-admin user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS with CSP bypass) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n\n*Note that we only are able to offer monetary rewards for issues within the software mentioned in our program policy.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-28T22:02:23.646Z"},{"id":3548279,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested to learn how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after: \n\n1. Bugs in the latest published Nextcloud server software ([Download](https://nextcloud.com/install/#instructions-server) / [Source Code](https://github.com/nextcloud/server/tree/stable11?files=1)) (note that \"apps\" you enable from the appstore are not necessarily bundled. Only the one from the \"Not enabled\" category)\n2. Bugs in the Nextcloud Android client ([Download](https://play.google.com/store/apps/details?id=com.nextcloud.client) / [Source Code](https://github.com/nextcloud/android)) (we do exclude bugs that do require the existence of another malicious app on the system)\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nOh, and to make us even happier please go the extra mile to download the software locally. Running tests against our demo infrastructure is something that decreases the experience for other users massively. Whatever you decide to do, do not run any tests against production instances of other people.\n\nFound a security bug in one of above mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our web sites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\n# Rewards\nOur rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as non-admin user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n\n*Note that we only are able to offer monetary rewards for issues within the software mentioned in our program policy.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-06T08:54:12.595Z"},{"id":3543183,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested to learn how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after: \n\n1. Bugs in the latest published Nextcloud server software ([Download](https://nextcloud.com/install/#instructions-server) / [Source Code](https://github.com/nextcloud/server/tree/stable11?files=1)) (note that \"apps\" you enable from the appstore are not necessarily bundled. Only the one from the \"Not enabled\" category)\n2. Bugs in the Nextcloud Android client ([Download](https://play.google.com/store/apps/details?id=com.nextcloud.client) / [Source Code](https://github.com/nextcloud/android)) (we do exclude bugs that do require the existence of another malicious app on the system)\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nOh, and to make us even happier please go the extra mile to download the software locally. Running tests against our demo infrastructure is something that decreases the experience for other users massively. Whatever you decide to do, do not run any tests against production instances of other people.\n\nFound a security bug in one of above mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our web sites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\n# Rewards\nOur rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as non-admin user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n\n*Note that we only are able to offer monetary rewards for issues within the software mentioned in our program policy.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-13T20:46:59.017Z"},{"id":3496017,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested to learn how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after: \n\n1. Bugs in the latest published Nextcloud server software ([Download](https://nextcloud.com/install/#instructions-server) / [Source Code](https://github.com/nextcloud/server/tree/stable10?files=1)) (note that \"apps\" you enable from the appstore are not necessarily bundled. Only the one from the \"Not enabled\" category)\n2. Bugs in the Nextcloud Android client ([Download](https://play.google.com/store/apps/details?id=com.nextcloud.client) / [Source Code](https://github.com/nextcloud/android)) (we do exclude bugs that do require the existence of another malicious app on the system)\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nOh, and to make us even happier please go the extra mile to download the software locally. Running tests against our demo infrastructure is something that decreases the experience for other users massively. Whatever you decide to do, do not run any tests against production instances of other people.\n\nFound a security bug in one of above mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our web sites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\n# Rewards\nOur rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as non-admin user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n\n*Note that we only are able to offer monetary rewards for issues within the software mentioned in our program policy.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-25T14:13:52.643Z"},{"id":3034667,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested to learn how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after: \n\n1. Bugs in the latest published Nextcloud server software ([Download](https://nextcloud.com/install/#instructions-server) / [Source Code](https://github.com/nextcloud/server/tree/stable9?files=1)) (note that \"apps\" you enable from the appstore are not necessarily bundled. Only the one from the \"Not enabled\" category)\n2. Bugs in the Nextcloud Android client ([Download](https://play.google.com/store/apps/details?id=com.nextcloud.client) / [Source Code](https://github.com/nextcloud/android)) (we do exclude bugs that do require the existence of another malicious app on the system)\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nOh, and to make us even happier please go the extra mile to download the software locally. Running tests against our demo infrastructure is something that decreases the experience for other users massively. Whatever you decide to do, do not run any tests against production instances of other people.\n\nFound a security bug in one of above mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our web sites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\n# Rewards\nOur rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as non-admin user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n\n*Note that we only are able to offer monetary rewards for issues within the software mentioned in our program policy.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-07-08T22:22:26.612Z"},{"id":3034657,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested to learn how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after: \n\n1. Bugs in the latest published Nextcloud server software ([Download](https://nextcloud.com/install/#instructions-server) / [Source Code](https://github.com/nextcloud/server/tree/stable9?files=1)) (note that \"apps\" you enable from the appstore are not necessarily bundled. Only the one from the \"Not enabled\" category)\n2. Bugs in the Nextcloud Android client ([Download](https://play.google.com/store/apps/details?id=com.nextcloud.client) / [Source Code](https://github.com/nextcloud/android)) (we do exclude bugs that do require the existence of another malicious app on the system)\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nOh, and to make us even happier please go the extra mile to download the software locally. Running tests against our demo infrastructure is something that decreases the experience for other users massively. Whatever you decide to do, do not run any tests against production instances of other people.\n\nFound a security bug in one of above mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our web sites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\n# Rewards\nOur rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as unauthenticated/regular user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n\n*Note that we only are able to offer monetary rewards for issues within the software mentioned in our program policy.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-07-08T22:21:28.513Z"},{"id":2931299,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested to learn how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after: \n\n1. Bugs in the latest published Nextcloud server software ([Download](https://nextcloud.com/install/#instructions-server) / [Source Code](https://github.com/nextcloud/server/tree/stable9?files=1)) (note that \"apps\" you enable from the appstore are not necessarily bundled. Only the one from the \"Not enabled\" category)\n2. Bugs in the Nextcloud Android client ([Download](https://play.google.com/store/apps/details?id=com.nextcloud.client) / [Source Code](https://github.com/nextcloud/android)) (we do exclude bugs that do require the existence of another malicious app on the system)\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nOh, and to make us even happier please go the extra mile to download the software locally. Running tests against our demo infrastructure is something that decreases the experience for other users massively. Whatever you decide to do, do not run any tests against production instances of other people.\n\nFound a security bug in one of above mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our web sites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\n# Rewards\nOur rewards are based on severity and range up to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as unauthenticated user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n\n*Note that we only are able to offer monetary rewards for issues within the software mentioned in our program policy.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-20T23:02:21.569Z"},{"id":2928932,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested to learn how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after: \n\n1. Bugs in the latest published Nextcloud server software ([Download](https://nextcloud.com/install/#instructions-server) / [Source Code](https://github.com/nextcloud/server/tree/stable9?files=1)) (note that \"apps\" you enable from the appstore are not necessarily bundled. Only the one from the \"Not enabled\" category)\n2. Bugs in the Nextcloud Android client ([Download](https://play.google.com/store/apps/details?id=com.nextcloud.client) / [Source Code](https://github.com/nextcloud/android)) (we do exclude bugs that do require the existence of another malicious app on the system)\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nOh, and to make us even happier please go the extra mile to download the software locally. Running tests against our demo infrastructure is something that decreases the experience for other users massively. Whatever you decide to do, do not run any tests against production instances of other people.\n\nFound a security bug in one of above mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our web sites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\n# Rewards\nOur rewards are based on severity and range from $250 to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as unauthenticated user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n\n*Note that we only are able to offer monetary rewards for issues within the software mentioned in our program policy.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-20T15:04:34.391Z"},{"id":2913233,"new_policy":"As an open-source project we know and believe in the well-known Linus' law:\n\n\u003e Given enough eyeballs, all bugs are shallow\n\nWe're inviting researchers all over the globe to take a look at Nextcloud and bring it's security to the next level. If you're interested to learn how we handle security you can read more about it on our [dedicated security page](https://nextcloud.com/security/).\n\n# Program policy\n\nWe know how valuable your time is and employ a \"No bullshit policy\" that boils down to: Don't be a jerk. Instead of bothering you with a huge list of exclusions we're going to tell you what we're especially looking after: \n\n1. Bugs in the latest published Nextcloud server software ([Download](https://nextcloud.com/install/#instructions-server) / [Source Code](https://github.com/nextcloud/server/tree/stable9?files=1)) (note that \"apps\" you enable from the appstore are not necessarily bundled. Only the one from the \"Not enabled\" category)\n2. Bugs in the Nextcloud Android client ([Download](https://play.google.com/store/apps/details?id=com.nextcloud.client) / [Source Code](https://github.com/nextcloud/android))\n\nA bug is for us something that actively allows an attacker to escalate their privileges. Something like \"Attacker can delete arbitrary files of other users\" is fine, \"Missing X-Frame-Options on the download servers\" not so much. At the moment we are also considering Denial of Service not a reward worthy vulnerability. (we will acknowledge you though!)\n\nOh, and to make us even happier please go the extra mile to download the software locally. Running tests against our demo infrastructure is something that decreases the experience for other users massively. Whatever you decide to do, do not run any tests against production instances of other people.\n\nFound a security bug in one of above mentioned components? Awesome! Just report it here and we will get back to you. These components are also for what monetary rewards are awarded. Bonus points if you check back with our [threat model](https://nextcloud.com/security/threat-model) before.\n\nFound a bug in one of our web sites or so? While we can't offer you any monetary reward we will acknowledge the issue and happily accept reports for it via this platform as well. But please do not run any Denial of Service attacks against our infrastructure or extract user data. Please do also refrain from using automated testing tools against our infrastructure or disclosing bugs to other parties before we have published a patch.\n\n# Rewards\nOur rewards are based on severity and range from $250 to $5,000. To give you some guidance we have compiled below list:\n\n| Impact | Definition | Highest possible reward |\n|----------|--------------------------------------------------------------------------------------------------------------------------|-------------|\n| Critical | Gaining remote code execution on the server as unauthenticated user. (i.e. RCE) | $5,000 |\n| High | Gaining access to complete user data of any other user. (i.e. Auth Bypass) | $2,000 |\n| Medium | Limited disclosure of user data or attacks granting access to a single users' user session. (i.e. XSS) | $750 |\n| Low | Very limited disclosure of user data or attacks involving a very high unlikely amount of user interaction. | $250 |\n\n*Note that we only are able to offer monetary rewards for issues within the software mentioned in our program policy.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-17T09:59:17.205Z"}]