By default Owncloud doesn’t have any account locking or login rate limit (but can be enabled in settings) - which means you can get easy bug bounty:
(CWE-307 Improper Restriction of Excessive Authentication Attempts)

https://github.com/AbandonwareDev/owncloud_bruteforcer

Also tool may slow down owncloud instance by 3 times at 20 threads (and use 100% CPU) - so there can be potential DoS