💡 TLDR: Report security issues at hackerone.com/nextcloud
If you believe you have found an issue that meets our definition of a security vulnerability, we encourage you to let us know right away. Please use the reporting process described below.
| If you are a... | See section... |
|---|---|
| Security Researcher | How to Report a Vulnerability |
| Nextcloud Admin or User | Security Advisories, Supported Versions |
Instead, please:
- Review our responsible disclosure guidelines
- Submit your report via HackerOne
Your report should include:
- Product version
- A clear description of the vulnerability
- Steps to reproduce the issue (clear, step-by-step instructions are greatly appreciated)
- Any other details that may assist our investigation
If you require encrypted communication, please request it in your initial message.
Note: This process is for confidential reporting of software vulnerabilities only.
For general support or configuration help, see Nextcloud Support.
In most cases, you should receive an initial response within 24 hours.
A member of our security team will:
- Confirm the vulnerability
- Assess its impact
- Follow up with any questions
- Coordinate the fix and public disclosure
We apply, test, and release fixes for all relevant, supported stable branches in the next security update. Vulnerabilities are publicly announced after the fix is released. As a thank you, we will add your name to our Hall of Fame.
If your report concerns an app not maintained by Nextcloud (e.g., community-maintained apps hosted by Nextcloud or hosted elsewhere), our security team will coordinate with the current maintainer to help resolve the issue in a similar fashion.
If you are interested in a bug bounty, please note that complete, detailed reports can contribute to higher bounty awards. Details on past bounties are available at HackerOne.
Published advisories for Nextcloud Server, Clients, and Apps are available at the Nextcloud Security Advisories page.
Each major release of Nextcloud Server receives security updates for one year from its initial release date. The Nextcloud project typically supports at least the two most recent major releases.
To stay protected:
- Ensure your Nextcloud Server is always running a supported major release
- Promptly apply all maintenance releases (these include critical security and functionality bug fixes)
- Monitor the end-of-life (EOL) date for your major release (after this date, no further maintenance releases will be published. Upgrading to a newer major release is strongly recommended.)
See the Maintenance and Release Schedule for details.