diff options
| author | Josh Richards <josh.t.richards@gmail.com> | 2023-10-18 11:42:44 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-18 11:42:44 -0400 |
| commit | 59366eebb8f4f5ad87e601aa3947ba54febf68d2 (patch) | |
| tree | 2215a600171cf4b45acfadc1363e03e45fe87094 /SECURITY.md | |
| parent | a1d70ab78ad650c0860197ef37ecbe047be2ff0b (diff) | |
| download | nextcloud-server-59366eebb8f4f5ad87e601aa3947ba54febf68d2.tar.gz nextcloud-server-59366eebb8f4f5ad87e601aa3947ba54febf68d2.zip | |
SECURITY: Add {links, headings, $, scope, public GH Issues notes}
* Add links to various relevant pages (scope, existing security advisories)
* Add request to not report vulnerabilities in public GH issues
* Mention bounty program
* Reorganized and added some new headings
Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
Diffstat (limited to 'SECURITY.md')
| -rw-r--r-- | SECURITY.md | 57 |
1 files changed, 47 insertions, 10 deletions
diff --git a/SECURITY.md b/SECURITY.md index ee4bdb12eca..eea4d06e09d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,25 +1,62 @@ # Security Policy -## Supported Versions +[Security](https://nextcloud.com/security/) is very important to us. -The latest three major release versions of Nextcloud are currently being supported with security updates. -Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details. +If you believe you have found a security vulnerability that meets our definition of a security +vulnerability, please report is as described below. + +## Context + +Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what +is currently considered a security vulnerability versus expected behavior. And review what is considered +[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes). + +You can expect a response within 24 hours in most cases. ## Reporting a Vulnerability -Security is very important to us. If you have discovered a security issue with Nextcloud, -please read our responsible disclosure guidelines and contact us at [hackerone.com/nextcloud](https://hackerone.com/nextcloud). +** **Please do _not_ report security vulnerabilities through public GitHub issues.** ** + +If you have discovered a security matter with Nextcloud, please read our +[responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at +[hackerone.com/nextcloud](https://hackerone.com/nextcloud). + Your report should include: - Product version - A vulnerability description - Reproduction steps +- Any other details you think are likely to be important + +### What to Expect + +You should receive an initial acknowledgement within 24 hours in most cases. -A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. -The fix will be applied to the master branch, tested, and packaged in the next security release. +A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, +and coordinate a fix. + +The fix will be applied to the `master` branch, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added -to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud community. Note our -[threat model](https://nextcloud.com/security/threat-model) to know what is expected behavior. +to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud +community. + +### Bug Bounties + +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details +on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud). + +## Existing Security Advisories + +Past advisories can be viewed at +[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories +). + +## Supported Versions + +The latest three major release versions of Nextcloud are currently being supported with security updates. +Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details. +## Additional Information -Please visit https://nextcloud.com/security/ for further information about security. +Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security. +Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks. |