Nextcloud offers a security bug bounty program, recognizing the contributions of security researchers to the safety and privacy of Nextcloud users. For our Android Files and Talk apps, we now also participate in the GPSRP (Google Play Security Reward Program), which provides additional and specific awards for finding security issues in our Files and Talk Android apps. According to Google:
“The goal of the program is to identify and mitigate vulnerabilities in apps on Google Play, and keep Android users, developers, and the Google Play ecosystem safe.”
Security researchers who responsibly disclose the applicable issues they find to Nextcloud will be able to apply for an additional reward of up to $20,000 from the GPSRP program. The process is that they first go through Nextcloud’s existing bug bounty program before they reach out to Google. The two main categories of issues covered by GPSRP are arbitrary code execution (ACE) and theft of sensitive data.
For Google, the benefits are two-fold. First, with more secure apps on their platform, the risk of bad news due to data leaks is reduced. And, where the issues are caused by problems in Google’s API’s and platform capabilities, Google will get insights and a chance to improve those which will benefit the security of all apps in the store.
Nextcloud users of course benefit from improved security, even when they do not get their apps from the Google Play store but through F-Droid.
You can find details and information on participation on the bughunters page of Google.