Nextcloud Security Scan


I’ve a payed /e/ cloud account plan and i really like using it but i just check the url on the Nextcloud Security Scan and it gets a F rating. Is this correct and should we be worried?

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

1 Like

Thanks for reporting this in. Have passed it on to the infra team to check and address.

Here is my opinion:

Thats a result of /e/'s unwise “fork → heavily modify → lose ability to pull upstream quickly” mentality.
Sadly, the same applies to /e/'s standard software, especially the browser, which is crtitical for security, but constantly out of date.

So you should definitely be worried.

1 Like

I’ve a paid ecloud account and this is just the last (and major) issue i’ve with the service. Other are:

  • sync errors in the notes mobile app, although i never lost any information;
  • the email is not very reliable;
  • some services don’t “work” with the domain;
  • the (minor) issue with the wrong storage quota report in rainloop;
  • the recent disappearance of the bookmark app with out any communication;

I really like /e/ Foundation work and i was even considering buying a Murena smartphone but this issues, specially the low ecloud report, knocks down my trust and I’ll take my business elsewhere.

Hi rch,

I’m Arnau, Engineering Manager responsible for ecloud and /e/ server infrastructure. Let me please answer to these different points you have raised here:

F rating on NC security scan

We were recently getting an A+ here. As you can see, the hardening and Setup sections are all green checks. The reason why this score dropped so drastically is because Nextcloud releases two “major versions” a year so they quickly mark the olders as End of Life. The old versions aren’t necessarily affected by any vulnerabilities, nor the new ones 100% exempt from it. In fact, they are more likely to introduce problems than a known stable version which only changes with select patches. I cannot find on the changelog from 21.0.9 released one month ago any vulnerability that could be used in (we don’t have LDAP).

We monitor security bulletins on the different components of the platform, and act on them quickly whenever the conditions make them exploitable. We also have some automated mechanisms to detect unusual behaviour that could be part of an attack.

In my opinion, the statement “It is likely trivial to break in and steal all the data or even take over the entire server” is misleading in this case since we’re not talking about a NC16 installation with known security bugs and totally outdated underlying components (OS, proxies, DBs), it’s quite the opposite. Even the version number is different ( because we’re running ecloud, not a vanilla nextcloud. And these softwares will possibly continue to diverge as we target different users, so their rating will make less sense (while of course incorporating security patches in a timely manner).

sync errors in the notes mobile app

I’ve come across some users being affected by this, but in fact recently we had no more reports. So please add your comment to the issue or write to with details of the message/affected notes so we can troubleshoot.

the email is not very reliable

We are indeed hardly working on improving this particular component, but without a bug report or helpdesk ticket I cannot really offer an explanation for the problem you’re seeing. Is it uptime, delays, deliverability?

We plan to expand the number of mail servers on the next weeks, as well as fine tune spam and phishing protections to prevent abusive behaviour from affecting legitimate users (which is the main problem we face).

some services don’t “work” with the domain

Well, is a valid domain, so in this case it’s a bug of “the other services”. However, we’re aware of this problem and we are also rolling out a new domain in the next 2 months.

the (minor) issue with the wrong storage quota report in rainloop

Rainloop does provide a valid quota usage, but it’s only counting the mail part. We will start development this month of a unified quota widget that can show you the actual joint usage of your files and e-mails, and hide the one in rainloop.

the recent disappearance of the bookmark app with out any communication

Well, this is a secondary feature used by ~250 users and didn’t need announcing on our main Telegram announcements channel. Instead, we wrote about it in the page. Which is probably not well-known, this needs to be improved. We were also exploring with an announcements app that shows a banner in

We also had an issue open in our bug tracker; I recommend you look there first when you’re facing an issue, and if not submit the problem yourself. That’s the way we can provide all context and workarounds.

I really like /e/ Foundation work and i was even considering buying a Murena smartphone but this issues, specially the low ecloud report, knocks down my trust and I’ll take my business elsewhere.

You can get a Murena phone and use any public nextcloud instance or e-mail provider, they are completely independent. We of course aim for them to be a great out-of-the-box working combo.

We are also working hard on improving ecloud in 2022, but in fact this sometimes means fixing applications which are announced as stable or complete in the Nextcloud app store when in fact they are unstable as offered when used on a larger scale (see the Bookmarks example). And this needs to be done in parallel with adding or own features or specific eOS backends.

Hope those answers are useful. By the way, I didn’t see the /e/ account associated with your community forum address belonging to the premium group or having a larger quota. Please contact if you believe this to be an error.

Kind regards,


It is a legitimate opinion; understandable, as it has indeed affected some eOS projects. I don’t think it applies here because we don’t fork Nextcloud, we patch it and add custom themes and apps developed using standard APIs that don’t prevent us from upgrading core at any time.

The reason why we didn’t update the nextcloud core in ecloud to 21.0.9 is because we are working on very important features and fixes (some mentioned by rch on his second message) and such changes from Nextcloud (and all the apps like Contacts, Calendar…) require a non-negligible amount of QA to ensure there are no regressions, both on their own functionality and the interaction with our patches/setup AND the current versions of eOS clients deployed.

For this reason, no matter how diligent and big our team is, nextcloud core and apps in ecloud will always lag some weeks or months behind upstream. There is one exception, of course: if the new release contains an important security fix, or you are able to point to one (even if the fix is not backported), we will either patch it or update core potentially to the expense to some minor regression in the aforementioned apps.

Kind regards,


Hello Arnau,

First of all thank you very much for your lengthy and important reply.

I think it was important (at least to me) to hear /e/ perspective and your words regarding the security scan and the work been done were reassuring.

You are right: this is not the account connected to my ecloud account and i’ll fix the duplicate accounts.

Notes App

In the notes app i just get a sync failed warning but i don’t think i ever lost any information. I’m not very familiar with Gitlab but i’ll take a look and report the issue. service

Every so often i get some delays sending or receiving email and the fact that some services do not recognize the domain is a first to me. I’m really glad to hear the improvement to the service.

Bookmark app

The bookmark app is part of my workflow and i’m really glad that it’s back. I already bookmarked the status page and will check it before complaining.

Once again i really appreciate you taking time to clarify the issues raised.

Best regards,

1 Like

hello @arnauvp,
i was just wondering if ecloud was installed with tor structure ?

but maybe it would be too slow.

Hi @loki , sorry for not replying.

Tor is indeed too slow, we had to replace it even in Spot where it kind of made sense.
We use wireguard VPN network between our servers.

The article is interesting, but that use case seems quite specific and I would say one can have a similar gain by using a VPN or Tor browser + (since it only works over TLS).

1 Like

yes, it is more for hiding, it’s specific. Protection ecloud need is enough with VPN I think.