First of all, thank you for asking and offering to share this information with us!
You can report issues through hackerOne: https://hackerone.com/nextcloud
We pay out bounties up to USD 10.000 for issues that are found.
Please note that these have to be actual issues - not “gosh in some situations this kind of code can be a problem” style reports from a code scan, as these generate loads of false positives.
Let me elaborate on that, based on our experience handling security issues over the last years.
There is quite a big number of false positives coming out of pen tests (especially those that do static analysis of our code), which is why we usually only are willing to take results that come with a verified exploit - in other words, we require you to do the work to prove it is an actual issue. Which is, in part, why we’re happy to pay out up to USD 10.000 for your report of a real issue! Of course, for customers we’re happy to provide them the service of working with them or their pen testing firm to verify the potential issues which were found. But we can’t do this significant effort for free.
If you’d like to work with our security team to secure your instance, you can access our services through a subscription: https://nextcloud.com/enterprise
Another idea is to ask your pen testing firm to answer the question of ‘is this a real issue’ / ‘is this an issue with the software or the setup’ for you, or perhaps discuss with them submitting the issues through our bug bounty program. If they are confident these issues are real, well, they can get paid by us
I will send you a direct email after answering this so you can reply to me in private about the nature of the issues that were found! I’ve put this answer here, in part, to document what the possible approaches are.