Nextcloud has joined a growing list of projects, including Curl, that have ended their bug‑bounty partnerships with HackerOne due to an unmanageable surge of low‑effort, AI‑generated security reports.
I received the following email:
Hi ph00lt0,
Nextcloud is sending you a message about their program on HackerOne.
Hello,
We are writing to you because you have previously reported vulnerabilities to Nextcloud via HackerOne.
Like many other software projects, we have been receiving an increasing number of generic AI security reports via platforms such as HackerOne for some time now. This makes it difficult for us to identify high-quality reports. Our aim is to reduce the number of low-effort AI-generated reports and focus on what really matters.
We have therefore decided to discontinue our bug bounty programme by April 22 and will not award any financial rewards for any submissions, regardless of severity. Any report submitted prior April 22 will be processed under the previous policy.
We would like to take this opportunity to thank the research community for your past support in helping to make Nextcloud more secure, and we hope that you will continue to support us in future. Nextcloud remains accessible via HackerOne and welcomes any valid vulnerability reports.
Further information on Nextcloud’s HackerOne guidelines can be found here: https://hackerone.com/nextcloud.
Best regards
Nextcloud Security Team