Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS

How to Report a Vulnerability in ownCloud Securely

How to Report a Vulnerability in ownCloud Securely. Learn how to report a security vulnerability to ownCloud via official channels like VDP or Bug Bounty. Follow guidelines and submit detailed reports.

HomeOpen SourceHow to Report a Vulnerability in ownCloud Securely

Security Disclosure Policy

ownCloud — a Kiteworks company

The security of ownCloud and its users is a core responsibility.
We operate a formal Vulnerability Disclosure Policy and Bug Bounty Program to ensure that security issues are identified, reported, and resolved effectively.

How to Report a Vulnerability

How to Report a Vulnerability

Report security vulnerabilities through our official channels:

Do not report security vulnerabilities through public GitHub issues, forum posts, or social media. Public disclosure of unpatched vulnerabilities puts users at risk and disqualifies reports from the bug bounty program.

What to Include in Your Report

A useful vulnerability report includes at minimum:

  • A clear description of the vulnerability and its potential impact.
  • The affected product and version (oCIS, Desktop Client, Android, iOS, or ownCloud Server 10.x).
  • Steps to reproduce the issue, ideally with a proof of concept.
  • Your assessment of severity (CVSS score if possible).

The more detail you provide, the faster we can triage and resolve the issue.

What to Include in Your Report
Our Commitment to You

Our Commitment to You

When you report a vulnerability through our official channels, we commit to the following:

  • Assessment. A member of the ownCloud security team will evaluate the vulnerability, determine its impact, and classify its severity.
  • Resolution. We will develop and test a fix, apply it to the relevant branches, and package it in the next security release. For critical issues, we may issue an out-of-band release.

Rules of Engagement

We ask that security researchers follow these guidelines:

  • Only test for vulnerabilities on your own installation of ownCloud.
  • Do not access, modify, or delete data belonging to other users.
  • Do not perform denial-of-service attacks against ownCloud infrastructure.
  • Do not publish vulnerability details until ownCloud has issued a fix and public advisory.
  • Allow reasonable time for the security team to respond and remediate.
  • If you are unsure whether something is in scope, ask us first at security@owncloud.com.
Rules of Engagement
Bug Bounty Program

Bug Bounty Program

Our bug bounty program on YesWeHack rewards security researchers for qualifying vulnerabilities based on severity. Severity is determined at the discretion of the ownCloud security team. Bounties are paid through the YesWeHack platform. Vulnerabilities requiring administrator privileges (CVSS PR:H) are generally capped at High severity unless chained with a privilege escalation.

Out of Scope

The following are generally out of scope for our bug bounty program:

  • Network-level attacks (DDoS, MitM without application-layer impact).
  • Social engineering or phishing attacks on ownCloud staff.
  • Issues in third-party applications not maintained by ownCloud (report these to the respective maintainer).
  • Missing security headers with no demonstrable impact.
  • SPF/DKIM/DMARC misconfigurations.
  • Session expiration policies.
  • Reports from automated scanners without validated proof of concept.
Out of Scope
Supply Chain and Dependency Vulnerabilities

Supply Chain and Dependency Vulnerabilities

If you discover a vulnerability in a dependency used by ownCloud a library, container image, or build tool please report it through our standard channels. We will coordinate disclosure with the upstream maintainer where appropriate.

ownCloud monitors its supply chain through automated scanning and maintains an SBOM (Software Bill of Materials) process.

Contact

  • VDP / Bug Bounty: security.owncloud.com / YesWeHack
  • Security Team Email: security@owncloud.com
  • OSPO Contact: ospo@kiteworks.com
Contact

Frequently Asked Questions

You can report security vulnerabilities through ownCloud\’s official channels: the VDP Platform at security.owncloud.com, the Bug Bounty Program on YesWeHack, or via email at security@owncloud.com for issues outside the bug bounty scope. Avoid public disclosure on platforms like GitHub, forums, or social media to protect users and maintain eligibility for the bug bounty program.

A useful vulnerability report should include a clear description of the vulnerability and its potential impact, the affected product and version (e.g., oCIS, Desktop Client, Android, iOS, or ownCloud Server 10.x), steps to reproduce the issue with a proof of concept if possible, and your assessment of severity, such as a CVSS score. Providing detailed information helps expedite triage and resolution.

ownCloud commits to assessing the reported vulnerability by having a security team member evaluate its impact and classify its severity. They will then develop and test a fix, apply it to relevant branches, and include it in the next security release, or issue an out-of-band release for critical issues.

Security researchers must follow these guidelines: test vulnerabilities only on your own ownCloud installation, avoid accessing or modifying other users\’ data, refrain from denial-of-service attacks on ownCloud infrastructure, do not publish vulnerability details until a fix and advisory are issued, allow reasonable time for response and remediation, and contact security@owncloud.com if unsure about scope.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo
Share
Tweet
Share
Explore Kiteworks