I am not claiming that owncloud is shoddy, I am just refuting the claim that somehow hosting your own server makes you a smaller target and somehow safer. Every code base eventually has security problems, sometime a big as heartbleed. If you are Amazon, you get a preferential disclosure and patches before it is publicly revealed. If you are John Doe, you better hope that you read the cve as soon as it's published and that you can patch the server right then.

That is why we publish updates with fixes 2 weeks before we publish CVE's. If a would-be-hacker follows CVE's, all users who updated in the last 2 weeks are safe.

On top of that, while we prepare updates mostly in public in github we only release the security-related fixes the moment we release the update.

So a would-be-hacker would have to look through the source code of the update to identify security fixes, and then he/she can hack ownCloud instances. (Lukas should check this, btw, I'm only 75% sure about this)

There is nothing we, or anybody working on any product can do about users not updating, though we do give warnings, offer packages which makes updating easier and do all we can to use security hardening to limit the damage security problems can do.

It is true that hosting your own server doesn't make you safer from targeted attacks. If you follow our security recommendations, you'll be quite OK, though, and there are tricks like using a special port and port knocking and what-not to improve security even more.

But this is no different to any other self-hosting tech.

Yeah, a public cloud can do better - they don't publish any source. They also have, almost by default, a back door to the NSA so that's like saying "let's give up on trying to build a roof because if you do, it could have a leak".

BTW if your ownCloud just presents a login screen to others, I mean, how often can somebody break in through that with automated means? Not 'never' I suppose but it should be rare...