5 Ways Nextcloud Develops its Product with Respect to your Privacy and Security

Originally published at: 5 Ways Nextcloud Develops its Product with Respect to your Privacy and Security - Nextcloud

In the beginning, we started Nextcloud because of privacy and security challenges that cloud service users faced. It is engrained in our strategy and company values. So how do we keep your data safe? An important element for that is how we develop Nextcloud!

Our product development follows industry leading security processes. We like to say security bugs are like technical debt: fixing them later is expensive. Our strategy is to prevent them from happening from the get-go through a rigorous focus on security throughout the entire life cycle of our product. We aim to get those which find their way through, and fix them as soon as possible.

“Security bugs are like technical debt: fixing them later is expensive.”

1. Security Training

First off, we provide detailed documentation about common web security vulnerabilities that anyone can use and learn from.

Due to Nextcloud’s community focus, we also organize public security trainings for the community’s benefit. The next opportunity is at the Nextcloud Conference happening in-person in Berlin on October 1st and 2nd. There’s going to be plenty of opportunities to learn about security at the event!

Furthermore, developers are asked to fix security issues that they caused themselves. We do this because it’s an opportunity to learn from your mistake and make sure it doesn’t happen again.

2. Requirements

Privacy and security risks are constantly analyzed and then requirements are established.

For instance, we employ advanced threat modeling / attack surface analysis.

Designs are also always reviewed for security implications.

3. Implementation

As for when new code is developed for Nextcloud or a Nextcloud app, we employ a strict, mandatory code review process with two reviewers beside the original developer.

In addition, unsafe functions are forbidden e.g. unserialized, non-prepared statements, and unsafe comparisons.

Furthermore, our internal functions are designed to provide secure defaults for developers.

4. Verification

In general, Nextcloud follows industry-standard security processes and have them all independently verified.

For example, you can see an analysis of Nextcloud on OpenSSF Best Practices passing for all six sections.

We also regularly run static and dynamic security scans like Burp, Veracode, and others.

5. Response

About two weeks after a Nextcloud release, we disclose any and all security issues that we fixed. These are paired with advisories with CVE identifiers.

We also run a very successful and high paying bug bounty program, up to 10,000 Euros. Read more in our previous securities blog.

As a result of our response, statistics show a massive decrease of external security reports.


To learn more about Nextcloud security and advisories, see here.