blob: eea4d06e09d5979f84d2accd8b548e0b41b363a6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
# Security Policy
[Security](https://nextcloud.com/security/) is very important to us.
If you believe you have found a security vulnerability that meets our definition of a security
vulnerability, please report is as described below.
## Context
Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what
is currently considered a security vulnerability versus expected behavior. And review what is considered
[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).
You can expect a response within 24 hours in most cases.
## Reporting a Vulnerability
** **Please do _not_ report security vulnerabilities through public GitHub issues.** **
If you have discovered a security matter with Nextcloud, please read our
[responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at
[hackerone.com/nextcloud](https://hackerone.com/nextcloud).
Your report should include:
- Product version
- A vulnerability description
- Reproduction steps
- Any other details you think are likely to be important
### What to Expect
You should receive an initial acknowledgement within 24 hours in most cases.
A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions,
and coordinate a fix.
The fix will be applied to the `master` branch, tested, and packaged in the next security release.
The vulnerability will be publicly announced after the release. Finally, your name will be added
to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud
community.
### Bug Bounties
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details
on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
## Existing Security Advisories
Past advisories can be viewed at
[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories
).
## Supported Versions
The latest three major release versions of Nextcloud are currently being supported with security updates.
Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
## Additional Information
Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security.
Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks.
|
