It is a well-known fact that I’m a vocal supporter of Bug Bounty programs. I do believe that running a fair and engaging bug bounty program is a great addition to any software security process.
My personal experiences with Bug Bounties go back to the end of 2011 where somebody made me aware of the Google Bug Bounty program. Of course my initial gut reaction was more like: “Finding security bugs in Google products? That must be impossible. They have a ton of Security Engineers.”
Just a short time later it turned out that I was wrong. Finding security bugs in Google’s web services was indeed possible and actually no kind of big magic was required. So I earned quite some nice money with the Google Vulnerability Reward program, helping keep Google users safe. This experience has taught me that having a nearly never ending additional set of eyes on a product is a fantastic thing to have. And believe me, finding bugs in Google’s web services is nowadays way harder than it was before: bug bounty programs WORK.
Thus it makes me very happy to share today that Nextcloud is launching a Bug Bounty program on HackerOne. I have a good amount of experience with the HackerOne platform and their work is really a good thing for the security of the internet overall.
We’re aiming to offer a competitive and healthy bug bounty for Nextcloud and that means serious rewards to make sure it is worth the time of serious security experts to look at our code. Ours go up to $5,000, some of the highest in the open-source world! And if you look at what big multi-billion dollar companies do offer I believe this is a very competitive offering.
Of course, there have been bad experiences with some bug bounty programs. I also myself had some troubles with some bug bounty programs (looking at you here, Yahoo!). I know how time consuming this task can be and thus I will personally ensure:
- We will review all submissions within 72 hours.
- We will pay out bounties quickly after our validation of the report.
- We will credit and fully publicly disclose the bug reports and their reporters’ work
If you have any questions about the program please do not hesitate to reach out to us at [email protected]
Quick shoutout to any open-source project out here: If you consider running a bug bounty program I’m happy to share my experiences with you. Just drop me an email!