Nextcloud ends bug bounty program due to too many low-quality reports

Nextcloud is discontinuing its bug bounty program on HackerOne. The reason is the increasing flood of generic, AI-generated vulnerability reports, which makes it difficult to identify high-quality reports. Financial rewards will be completely discontinued, even for critical vulnerabilities. HackerOne will remain accessible for valid reports.

The Nextcloud security team announced this in an email to registered researchers. According to the team, the platform has been receiving an increasing number of low-quality reports for quite some time. “Like many other software projects, we have been receiving an increasing number of generic AI security reports via platforms such as HackerOne for some time now,” writes the Nextcloud Security Team. This makes it difficult to distinguish genuine, valuable reports from generic AI output.

No more rewards, even for severe vulnerabilities

No financial rewards will be paid for submitted reports, regardless of the severity of the vulnerability. Reports submitted before April 22 will still be processed under the old policy.

Nextcloud launched its bug bounty program in 2017 as part of its security strategy, aimed at attracting external researchers to identify vulnerabilities in the platform. Over the years, the company received hundreds of reports from the security community through HackerOne.

HackerOne remains open to valid reports

Nextcloud is not closing its HackerOne page. The platform remains accessible, and the team continues to welcome valid vulnerability reports. Only the financial reward structure is being discontinued. Researchers can continue to submit reports via hackerone.com/nextcloud, but will no longer receive compensation for them.

The Nextcloud Security Team thanked the research community for its past support. “We would like to take this opportunity to thank the research community for your past support in helping to make Nextcloud more secure,” the team stated. Nextcloud expressed hope that the community will continue to support the platform even without a financial incentive.

Tip: Nextcloud doubles down on sovereign message with latest release

Nextcloud ends bug bounty program due to too many low-quality reports

No more rewards, even for severe vulnerabilities

HackerOne remains open to valid reports

Stay tuned, subscribe!

Security by Design prevents higher bills

VAST Data grows extremely fast and is highly profitable; IPO is on the horizon

OpenSearch is enterprise-ready with long-term support and version 3.6

Inside Cisco's AI-powered customer experience strategy

How Cisco's AI Canvas is revolutionizing network troubleshooting

AI creates brand new attack surfaces in cloud security

Cisco doubled down on compute for the AI and edge era

Anthropic’s Mythos preview: why the human layer matters more, not less

Why SAST is growing in importance in the age of AI-generated source code

Infosecurity Europe announces first wave of keynote speakers for 2026

Better connected business technology is essential for prosperity in the Netherlands

Southeast Asia AI Application Summit 2026

SAS Innovate 2026

Team '26

Knowledge 26

GISEC GLOBAL 2026

Red Hat Summit

Experience Synology’s latest enterprise backup solution

How to choose the right Enterprise Linux platform?

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices