Nextcloud

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
Desktop Client DOWNLOADABLE_EXECUTABLES critical
Issues affecting the Desktop Client available from [https://nextcloud.com/install/#install-clients](https://nextcloud.com/install/#install-clients "https://nextcloud.com/install/#install-clients")
com.nextcloud.Talk APPLE_STORE_APP_ID none low low medium
Our official iOS Talk client from [https://itunes.apple.com/app/id1296825574](https://itunes.apple.com/app/id1296825574)
com.nextcloud.client GOOGLE_PLAY_APP_ID none low low medium
Our official Android client from [https://play.google.com/store/apps/details?id=com.nextcloud.client](https://play.google.com/store/apps/details?id=com.nextcloud.client "https://play.google.com/store/apps/details?id=com.nextcloud.client")
com.nextcloud.talk2 GOOGLE_PLAY_APP_ID none low low medium
Our official Android Talk client from [https://play.google.com/store/apps/details?id=com.nextcloud.talk2](https://play.google.com/store/apps/details?id=com.nextcloud.talk2)
https://apps.nextcloud.com/ URL critical
Part of the Nextcloud app store which source code is available from [https://github.com/nextcloud/appstore](https://github.com/nextcloud/appstore "https://github.com/nextcloud/appstore"). Note that all apps are cryptographically signed by developers and reports thus usually don't qualify for monetary rewards as they don't affect Nextcloud instances.
https://auth.nextcloud.com URL critical
Internally used system behind SSO. We'd like to ask you to not actively test against our production SSO server. You can find the used software at [http://www.keycloak.org/](http://www.keycloak.org/ "http://www.keycloak.org/")
https://crm.nextcloud.com URL critical
Internally used system behind SSO. We'd like to ask you to not actively test against our production SSO server. You can find the used software at [http://www.keycloak.org/](http://www.keycloak.org/ "http://www.keycloak.org/")
https://customerupdates.nextcloud.com URL critical
This domain serves updates to Nextcloud server and the Nextcloud desktop client. - Client updater server:[https://github.com/nextcloud/client\_updater\_server](https://github.com/nextcloud/client_updater_server "https://github.com/nextcloud/client\_updater\_server") - Server updater server: [https://github.com/nextcloud/updater\_server](https://github.com/nextcloud/updater_server "https://github.com/nextcloud/updater\_server") While updates are cryptographically signed this is still a core part of Nextcloud. We thus pay out monetary rewards for issues affecting the integrity of the system. (e.g. allowing an attacker to announce malicious updates)
https://docs.nextcloud.com URL critical
Static web server serving the generated documentation from [https://github.com/nextcloud/documentation](https://github.com/nextcloud/documentation "https://github.com/nextcloud/documentation")
https://download.nextcloud.com URL critical
While updates and downloads are cryptographically signed this is still a core part of Nextcloud. We thus pay out monetary rewards for issues affecting the integrity of the system. (e.g. allowing an attacker replacing arbitrary files on the system)
https://help.nextcloud.com URL critical
This asset is running Discourse, and as such reports of newly discovered vulnerabilities should be submitted to their program instead: [https://hackerone.com/discourse](https://hackerone.com/discourse "https://hackerone.com/discourse") – Please use this scope only for reporting missing security updates on our Discourse installation.
https://knowledge.nextcloud.com URL critical
Internally used system behind SSO. We'd like to ask you to not actively test against our production SSO server. You can find the used software at [http://www.keycloak.org/](http://www.keycloak.org/ "http://www.keycloak.org/")
https://lists.nextcloud.com URL critical
Internally used system behind SSO. We'd like to ask you to not actively test against our production SSO server. You can find the used software at [http://www.keycloak.org/](http://www.keycloak.org/ "http://www.keycloak.org/")
https://logs.nextcloud.com URL critical
Internally used system behind SSO. We'd like to ask you to not actively test against our production SSO server. You can find the used software at [http://www.keycloak.org/](http://www.keycloak.org/ "http://www.keycloak.org/")
https://lookup.nextcloud.com URL critical
The Nextcloud lookup server source code can be found at [https://github.com/nextcloud/lookup-server/](https://github.com/nextcloud/lookup-server/ "https://github.com/nextcloud/lookup-server/")
https://newsletter.nextcloud.com URL none low none low
https://nextcloud.com URL critical
The nextcloud.com website is running Wordpress and the source code of our theme and adjustments can be found at [https://github.com/nextcloud/nextcloud.com](https://github.com/nextcloud/nextcloud.com "https://github.com/nextcloud/nextcloud.com")
https://portal.nextcloud.com URL critical
Portal with support answers by the Nextcloud support team. Please be extremely careful when testing this server as it is used by our customers as well.
https://projects.nextcloud.com URL critical
Internally used system behind SSO. We'd like to ask you to not actively test against our production SSO server. You can find the used software at [http://www.keycloak.org/](http://www.keycloak.org/ "http://www.keycloak.org/")
https://push-notifications.nextcloud.com URL critical
Backend behind the push notification proxy for our mobile apps. Our push notifications are End-To-End encrypted and thus an attacker would not be able to gain access to the content of push notifications. The push notification proxy client can be found at [https://github.com/nextcloud/notifications](https://github.com/nextcloud/notifications "https://github.com/nextcloud/notifications")
https://pushfeed.nextcloud.com URL low none none low
pushfeed.nextcloud.com is used to push cryptographically signed announcements to administrators of all Nextcloud instances. The source code for the generation of said announcement feeds can be found at [https://github.com/nextcloud/announcer](https://github.com/nextcloud/announcer "https://github.com/nextcloud/announcer") and the client at [https://github.com/nextcloud/nextcloud\_announcements](https://github.com/nextcloud/nextcloud_announcements "https://github.com/nextcloud/nextcloud\_announcements")
https://scan.nextcloud.com/ URL critical
Runs the web interface for the software used by the Nextcloud security scanner.
https://static.apps.nextcloud.com URL critical
Part of the Nextcloud app store which source code is available from [https://github.com/nextcloud/appstore](https://github.com/nextcloud/appstore "https://github.com/nextcloud/appstore"). Note that all apps are cryptographically signed by developers and reports thus usually don't qualify for monetary rewards as they don't affect Nextcloud instances.
https://stats.nextcloud.com URL critical
Internally used system behind SSO. We'd like to ask you to not actively test against our production SSO server. You can find the used software at [http://www.keycloak.org/](http://www.keycloak.org/ "http://www.keycloak.org/")
https://support.nextcloud.com URL critical
This asset is running Zammad, and as such reports of newly discovered vulnerabilities should be submitted to them: [https://zammad.com/contact](https://zammad.com/contact "https://zammad.com/contact") – Please use this scope only for reporting missing security updates on our Zammad installation. Please be extremely careful when testing this server as it is used by our customers as well.
https://surveyserver.nextcloud.com URL critical
The survey server data processes and stores anonymous statistics about deployed Nextcloud instances. Source code of the server can be found at [https://github.com/nextcloud/survey\_server](https://github.com/nextcloud/survey_server "https://github.com/nextcloud/survey\_server") and source code of the client at [https://github.com/nextcloud/survey\_client](https://github.com/nextcloud/survey_client "https://github.com/nextcloud/survey\_client")
https://updates.nextcloud.com URL high high high critical
This domain serves updates to Nextcloud server and the Nextcloud desktop client. - Client updater server:[https://github.com/nextcloud/client\_updater\_server](https://github.com/nextcloud/client_updater_server "https://github.com/nextcloud/client\_updater\_server") - Server updater server: [https://github.com/nextcloud/updater\_server](https://github.com/nextcloud/updater_server "https://github.com/nextcloud/updater\_server") While updates are cryptographically signed this is still a core part of Nextcloud. We thus pay out monetary rewards for issues affecting the integrity of the system. (e.g. allowing an attacker to announce malicious updates)
https://usercontent.apps.nextcloud.com URL critical
Note that usercontent.apps.nextcloud.com serves potentially untrusted user content and is always setting a Content-Type of attachment. The source code for the software can be found at [https://github.com/nextcloud/usercontent.apps.nextcloud.com](https://github.com/nextcloud/usercontent.apps.nextcloud.com "https://github.com/nextcloud/usercontent.apps.nextcloud.com")
it.twsweb.Nextcloud APPLE_STORE_APP_ID none low low medium
Our official iOS client from [https://itunes.apple.com/app/nextcloud/id1125420102](https://itunes.apple.com/app/nextcloud/id1125420102 "https://itunes.apple.com/app/nextcloud/id1125420102")
nextcloud/3rdparty SOURCE_CODE critical
Code from [https://github.com/nextcloud/3rdparty](https://github.com/nextcloud/3rdparty "https://github.com/nextcloud/3rdparty") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/activity SOURCE_CODE critical
Code from [https://github.com/nextcloud/activity](https://github.com/nextcloud/activity "https://github.com/nextcloud/activity") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/files_accesscontrol SOURCE_CODE critical
Code from [https://github.com/nextcloud/files\_accesscontrol](https://github.com/nextcloud/files_accesscontrol "https://github.com/nextcloud/files\_accesscontrol") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/files_automatedtagging SOURCE_CODE critical
Code from [https://github.com/nextcloud/files\_automatedtagging](https://github.com/nextcloud/files_automatedtagging "https://github.com/nextcloud/files\_automatedtagging") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/files_pdfviewer SOURCE_CODE critical
Code from [https://github.com/nextcloud/files\_pdfviewer](https://github.com/nextcloud/files_pdfviewer "https://github.com/nextcloud/files\_pdfviewer") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/files_retention SOURCE_CODE critical
Code from [https://github.com/nextcloud/files\_retention](https://github.com/nextcloud/files_retention "https://github.com/nextcloud/files\_retention") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/files_texteditor SOURCE_CODE critical
Code from [https://github.com/nextcloud/files\_texteditor](https://github.com/nextcloud/files_texteditor "https://github.com/nextcloud/files\_texteditor") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/files_videplayer SOURCE_CODE critical
Code from [https://github.com/nextcloud/files\_videoplayer](https://github.com/nextcloud/files_videoplayer "https://github.com/nextcloud/files\_videoplayer") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/firstrunwizard SOURCE_CODE critical
Code from [https://github.com/nextcloud/firstrunwizard](https://github.com/nextcloud/firstrunwizard "https://github.com/nextcloud/firstrunwizard") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/gallery SOURCE_CODE critical
Code from [https://github.com/nextcloud/gallery](https://github.com/nextcloud/gallery "https://github.com/nextcloud/gallery") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/logreader SOURCE_CODE critical
Code from [https://github.com/nextcloud/logreader](https://github.com/nextcloud/logreader "https://github.com/nextcloud/logreader") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/nextcloud_announcements SOURCE_CODE critical
Code from [https://github.com/nextcloud/nextcloud\_announcements](https://github.com/nextcloud/nextcloud_announcements "https://github.com/nextcloud/nextcloud\_announcements") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/notifications SOURCE_CODE critical
Code from [https://github.com/nextcloud/notifications](https://github.com/nextcloud/notifications "https://github.com/nextcloud/notifications") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/password_policy SOURCE_CODE critical
Code from [https://github.com/nextcloud/password\_policy](https://github.com/nextcloud/password_policy "https://github.com/nextcloud/password\_policy") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/server SOURCE_CODE critical
Code from [https://github.com/nextcloud/server](https://github.com/nextcloud/server "https://github.com/nextcloud/server") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/serverinfo SOURCE_CODE critical
Code from [https://github.com/nextcloud/serverinfo](https://github.com/nextcloud/serverinfo "https://github.com/nextcloud/serverinfo") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/spreed SOURCE_CODE medium high high critical
Code from [https://github.com/nextcloud/spreed](https://github.com/nextcloud/spreed) – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/survey_client SOURCE_CODE critical
Code from [https://github.com/nextcloud/survey\_client](https://github.com/nextcloud/survey_client "https://github.com/nextcloud/survey\_client") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/updater SOURCE_CODE critical
Code from [https://github.com/nextcloud/updater](https://github.com/nextcloud/updater "https://github.com/nextcloud/updater") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/user_saml SOURCE_CODE critical
Code from [https://github.com/nextcloud/user\_saml](https://github.com/nextcloud/user_saml "https://github.com/nextcloud/user\_saml") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/mail SOURCE_CODE critical
Code from [https://github.com/nextcloud/mail](https://github.com/nextcloud/mail "https://github.com/nextcloud/mail") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/photos SOURCE_CODE high high high critical
Code from [https://github.com/nextcloud/photos](https://github.com/nextcloud/photos "https://github.com/nextcloud/photos") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/files_rightclick SOURCE_CODE critical
Code from [https://github.com/nextcloud/files_rightclick](https://github.com/nextcloud/files_rightclick "https://github.com/nextcloud/files_rightclick") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/privacy SOURCE_CODE critical
Code from [https://github.com/nextcloud/privacy](https://github.com/nextcloud/privacy "https://github.com/nextcloud/privacy") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/recommendations SOURCE_CODE critical
Code from [https://github.com/nextcloud/recommendations](https://github.com/nextcloud/recommendations "https://github.com/nextcloud/recommendations") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/text SOURCE_CODE critical
Code from [https://github.com/nextcloud/text](https://github.com/nextcloud/text "https://github.com/nextcloud/text") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.
nextcloud/viewer SOURCE_CODE critical
Code from [https://github.com/nextcloud/viewer](https://github.com/nextcloud/viewer "https://github.com/nextcloud/viewer") – Note that some folders such as tests and so on will not be packaged. Please make sure that the referenced file is thus also existent in our final releases.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
https://cloud.nextcloud.com URL critical
[https://cloud.nextcloud.com](https://cloud.nextcloud.com "https://cloud.nextcloud.com") is our internal production Nextcloud instance. Please limit testing to your own testing instances.
https://conf.nextcloud.com URL critical
This is a legacy system now redirecting to our [eventyay page](https://eventyay.com/e/de88e486/). Please report issues within eventyay directly to [the responsible contacts](https://eventyay.com/imprint/).
https://demo.nextcloud.com URL critical
[https://demo.nextcloud.com](https://demo.nextcloud.com "https://demo.nextcloud.com") is running on dedicated machines. While you can try to find security vulnerabilities in the demo instances there please verify that they are also exploitable in the current Nextcloud source code. Select then the proper component while reporting.
https://drone.nextcloud.com URL critical
Our Drone server contains no sensitive data and we would ask you to not test against our development environments. If you discover a security issue in Drone please report this to [https://github.com/drone/drone](https://github.com/drone/drone "https://github.com/drone/drone") instead.
https://sentry.nextcloud.com URL none
We would ask you to not test against our development environments. If you discover a security issue in Sentry please report this to https://sentry.io/security/ instead.
try.nextcloud.com URL none
https://try.nextcloud.com is running on dedicated machines. While you can try to find security vulnerabilities in the demo instances there please verify that they are also exploitable in the current Nextcloud source code. Select then the proper component while reporting.