|
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 |
- # Security Policy
-
- [Security](https://nextcloud.com/security/) is very important to us.
-
- If you believe you have found a security vulnerability that meets our definition of a security
- vulnerability, please report is as described below.
-
- ## Context
-
- Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what
- is currently considered a security vulnerability versus expected behavior. And review what is considered
- [in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).
-
-
- ## Reporting a Vulnerability
-
- ** **Please do _not_ report security vulnerabilities through public GitHub issues.** **
-
- If you have discovered a security matter with Nextcloud, please read our
- [responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at
- [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
-
- Your report should include:
-
- - Product version
- - A vulnerability description
- - Reproduction steps
- - Any other details you think are likely to be important
-
- ### What to Expect
-
- You should receive an initial acknowledgement within 24 hours in most cases.
-
- A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions,
- and coordinate the fix and publication.
-
- The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release.
- The vulnerability will be publicly announced after the release. Finally, your name will be added
- to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud
- community.
-
- ### Bug Bounties
-
- If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details
- on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
-
- ## Existing Security Advisories
-
- Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at
- [https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories
- ).
-
- ## Supported Versions
-
- Nextcloud Server major release versions are being supported with security updates for 1 year after their initial release.
- Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
-
- ## Additional Information
-
- Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security.
- Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks.
|