Nextcloud Bug Bounty Report

Background

What is a bug bounty program?

After listening to an episode of Darknet Diaries that talked about bug bounty programs, I was inspired to make some money finding vulnerabilities. Through HackerOne, I found Nextcloud's bug bounty program.

My Experience Before This

I have found Cross Site Scripting (XSS) bugs before. I also submitted an unrelated report to Google a few years ago.

How I found the vulnerability

While looking at the list of in-scope targets, I saw that one of them was the source code for a PDF viewer. I also knew that some PDF viewers are vulnerable to XSS attacks. After seeing that they used pdf.js, I searched for vulnerabilities that affected the version they used. I found out that the version they used was vulnerable to CVE-2018-5158.

The Report Process

Although it was only around 150 words, I spent a few hours confirming the exploit and writing the report on it. You can see the HackerOne report in the links at the bottom of this article.

What Happened

Nextcloud quickly responded, fixed the issue, and submitted a CVE. They awarded me with $100, and their vulnerability was given the CVE-ID CVE-2020-8155. Overall, I am pleased with how they communicated and handled the process.