All Categories
  • 1st Steps
  • Authentication
  • Branding
  • Changelogs
  • Collaboration
  • Compliance
  • Customization
  • Desktop Client
  • External Storage
  • Frequently Asked Questions
  • Installation
  • Migrations
  • Mobile Clients
  • Nextcloud Context Chat
  • Nextcloud Flow (Windmill integration)
  • Nextcloud Talk
  • Operations
  • Partner Products
  • Roundcubemail
  • Scalability
  • Security
  • Security Incident Reporting Process for Hosting Partners

    Summary

    Hosting partners must report suspected Nextcloud-related security issues immediately and coordinate closely with the Nextcloud security team throughout investigation, mitigation, and disclosure.

    This document defines how and when partners must engage with Nextcloud on security incidents. It does not replace a partner’s own security or incident response program.

    Key expectations:

    • Report suspected issues early, even if unconfirmed
    • Use defined reporting channels and subject prefixes
    • Preserve evidence and limit internal access
    • Align all external communication and disclosure with Nextcloud
    • Assign a single incident owner and maintain a clear incident timeline

    1. Purpose and Scope

    This document defines how hosting partners and resellers must report and coordinate on security incidents related to Nextcloud.

    It applies to:

    • Vulnerabilities in Nextcloud software
    • Misconfigurations or compromises affecting Nextcloud environments
    • Supply-chain or third-party issues impacting Nextcloud security

    This document:

    • Complements, but does not replace, a partner’s own security program
    • Assumes a mature security posture aligned with standards such as ISO/IEC 27001/27002 and SOC 2
    • Focuses on interaction and coordination with Nextcloud

    2. Standards and Responsible Disclosure

    Nextcloud follows industry-standard responsible disclosure practices and we expect the same from our partners.

    Some general guidance can be found in:

    See this overview page from NIST which links to the above ISO and NIST standards..

    These references provide general guidance; this document defines Nextcloud-specific expectations.

    3. General Partner Expectations

    Partners are expected to:

    • Apply security updates promptly and monitor Nextcloud security communications
    • Train staff on responsible disclosure and secure communication practices, so support doesn't accidentally say too much for example.
    • Notify Nextcloud of relevant audit findings, penetration tests, or vulnerability scans
    • Maintain accurate technical documentation of their Nextcloud deployment to support incident analysis.

    4. Reporting a Security Issue

    4.1 When to Report

    Report suspected security issues immediately, even if impact or root cause are unclear.

    • Do not wait for confirmation or full impact analysis
    • Early reporting is preferred over delayed certainty
    Background
    We rather get informed at the earliest suspicion and, in subsequent updates, we discover that there is no issue, rather than being late to discover a potentially serious problem.

    4.2 How to Report

    Primary channel

    • Submit a ticket via the Nextcloud support portal.
    • Prefix the subject with: SECURITY: and Severity 1
    • One issue per ticket
    • Do not include sensitive data unless explicitly requested

    Fallback / Escalation

    • If Zammad is unavailable, submit via our HackerOne program.
    • For critical or time-sensitive issues (e.g. active exploitation, weekends):
      • Submit the issue via both Zammad and HackerOne

    4.3 Information to Include

    Provide all available information, including:

    Background
    We appreciate the complexity of security impact analysis and, of course, will not disclose any confidential information.

    Provide an initial severity estimate (best effort):

    • NIST impact level (Low / Moderate / High), or
    • CVSS v3.x base score (if applicable)

    5. Disclosure and Communication Rules

    All disclosure must be coordinated with the Nextcloud security team.

    Without explicit alignment with Nextcloud, partners must not:

    • Inform customers about Nextcloud vulnerabilities
      • This includes through support. Make sure staff is aware and is careful with wording. Customers can and occasionally DO leak communication with support staff. Best to simply avoid referring to any incident as security related.
    • Coordinate with media, researchers, or CERTs
    • Make public statements referencing the issue

    If local regulations require notification (e.g. to a Data Protection Authority):

    • Coordinate timing and content with the Nextcloud security team

    Our joint goal is to:

    • Meet regulatory obligations
    • Protect customers
    • Avoid unnecessary risk caused by premature or inaccurate disclosure
    • Avoid bad or inaccurate publicity

    Given the scale of the Nextcloud ecosystem, uncoordinated disclosure can create significant risk.

    Background
    Nextcloud has an estimated 500.000 servers online, with tens of millions of users. The impact of a real issue is large and we want to keep all of those as secure as possible. Leaking the existence of a security threat can cause unnessecairy risk for all those servers.

    6. Incident Handling Expectations

    During an incident, partners must:

    • Designate a single incident owner and share contact details with nextcloud
    • Apply least-privilege access and restrict knowledge to a need-to-know basis
    • Use secure communication channels only
    • Preserve evidence in a forensically sound manner:
      • Do not modify, rotate, or delete logs, containers, VMs, or storage
      • Take snapshots where possible
    • Maintain a complete incident timeline from discovery to closure

    7. Nextcloud Commitments

    From the Nextcloud side:

    • Incidents are handled according to this documentation, the Nextcloud disclosure guidelines and HackerOne processes
    • Mitigations are provided as quickly as possible

    8. Clarifications

    • Hosting partners are not eligible for bug bounties
    • If an issue is reported by a partner’s customer or end user, that reporter may be eligible