mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 984 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
74147 Commits
370 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
nextcloud/SECURITY.md

SECURITY.md 2.9KB
Raw Permalink Normal View History

Set up a security policy Signed-off-by: Ruben Barkow-Kuder <github@r.z11.de>
4 years ago
Add community/third-party apps note to security policy Just making it match the new global one in nextcloud/.github#241 Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Set up a security policy Signed-off-by: Ruben Barkow-Kuder <github@r.z11.de>
4 years ago
Add community/third-party apps note to security policy Just making it match the new global one in nextcloud/.github#241 Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Add community/third-party apps note to security policy Just making it match the new global one in nextcloud/.github#241 Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Set up a security policy Signed-off-by: Ruben Barkow-Kuder <github@r.z11.de>
4 years ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Set up a security policy Signed-off-by: Ruben Barkow-Kuder <github@r.z11.de>
4 years ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Set up a security policy Signed-off-by: Ruben Barkow-Kuder <github@r.z11.de>
4 years ago
Add community/third-party apps note to security policy Just making it match the new global one in nextcloud/.github#241 Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Apply suggestions Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Apply suggestions Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Set up a security policy Signed-off-by: Ruben Barkow-Kuder <github@r.z11.de>
4 years ago
Add community/third-party apps note to security policy Just making it match the new global one in nextcloud/.github#241 Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Apply suggestions Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Add community/third-party apps note to security policy Just making it match the new global one in nextcloud/.github#241 Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Apply suggestions Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Set up a security policy Signed-off-by: Ruben Barkow-Kuder <github@r.z11.de>
4 years ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
Set up a security policy Signed-off-by: Ruben Barkow-Kuder <github@r.z11.de>
4 years ago
SECURITY: Add {links, headings, $, scope, public GH Issues notes} * Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
6 months ago
 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. # Security Policy

  2. 

  3. [Security](https://nextcloud.com/security/) is very important to us.

  4. 

  5. If you believe you have found a security vulnerability that meets our definition of a security

  6. vulnerability, please report is as described below.

  7. 

  8. ## Context

  9. 

  10. Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what

  11. is currently considered a security vulnerability versus expected behavior. And review what is considered

  12. [in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).

  13. 

  14. 

  15. ## Reporting a Vulnerability

  16. 

  17. ** **Please do _not_ report security vulnerabilities through public GitHub issues.** **

  18. 

  19. If you have discovered a security matter with Nextcloud, please read our

  20. [responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at

  21. [hackerone.com/nextcloud](https://hackerone.com/nextcloud).

  22. 

  23. Your report should include:

  24. 

  25. - Product version

  26. - A vulnerability description

  27. - Reproduction steps

  28. - Any other details you think are likely to be important

  29. 

  30. ### What to Expect

  31. 

  32. You should receive an initial acknowledgement within 24 hours in most cases.

  33. 

  34. A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions,

  35. and coordinate the fix and publication.

  36. 

  37. The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release.

  38. The vulnerability will be publicly announced after the release. Finally, your name will be added

  39. to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud

  40. community.

  41. 

  42. If the vulnerability involves an app that is not maintained by Nextcloud (i.e. hosted by the 

  43. Nextcloud project but community maintained, or hosted elsewhere), the security team will try to coordinate with the

  44. current maintainer and help to get the issue fixed in similar fashion.

  45. 

  46. ### Bug Bounties

  47. 

  48. If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details

  49. on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).

  50. 

  51. ## Existing Security Advisories

  52. 

  53. Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at

  54. [https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories).

  55. 

  56. ## Supported Versions

  57. 

  58. Nextcloud Server major release versions are being supported with security updates for 1 year after their initial release.

  59. Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.

  60. 

  61. ## Additional Information

  62. 

  63. Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security.

  64. Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks.