Browse Source
SECURITY: Add {links, headings, $, scope, public GH Issues notes}
SECURITY: Add {links, headings, $, scope, public GH Issues notes}
* Add links to various relevant pages (scope, existing security advisories) * Add request to not report vulnerabilities in public GH issues * Mention bounty program * Reorganized and added some new headings Signed-off-by: Josh Richards <josh.t.richards@gmail.com>pull/40966/head
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 47 additions and 10 deletions
-
57SECURITY.md
@ -1,25 +1,62 @@ |
|||
# Security Policy |
|||
|
|||
## Supported Versions |
|||
[Security](https://nextcloud.com/security/) is very important to us. |
|||
|
|||
The latest three major release versions of Nextcloud are currently being supported with security updates. |
|||
Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details. |
|||
If you believe you have found a security vulnerability that meets our definition of a security |
|||
vulnerability, please report is as described below. |
|||
|
|||
## Context |
|||
|
|||
Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what |
|||
is currently considered a security vulnerability versus expected behavior. And review what is considered |
|||
[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes). |
|||
|
|||
You can expect a response within 24 hours in most cases. |
|||
|
|||
## Reporting a Vulnerability |
|||
|
|||
Security is very important to us. If you have discovered a security issue with Nextcloud, |
|||
please read our responsible disclosure guidelines and contact us at [hackerone.com/nextcloud](https://hackerone.com/nextcloud). |
|||
** **Please do _not_ report security vulnerabilities through public GitHub issues.** ** |
|||
|
|||
If you have discovered a security matter with Nextcloud, please read our |
|||
[responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at |
|||
[hackerone.com/nextcloud](https://hackerone.com/nextcloud). |
|||
|
|||
Your report should include: |
|||
|
|||
- Product version |
|||
- A vulnerability description |
|||
- Reproduction steps |
|||
- Any other details you think are likely to be important |
|||
|
|||
### What to Expect |
|||
|
|||
You should receive an initial acknowledgement within 24 hours in most cases. |
|||
|
|||
A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. |
|||
The fix will be applied to the master branch, tested, and packaged in the next security release. |
|||
A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, |
|||
and coordinate a fix. |
|||
|
|||
The fix will be applied to the `master` branch, tested, and packaged in the next security release. |
|||
The vulnerability will be publicly announced after the release. Finally, your name will be added |
|||
to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud community. Note our |
|||
[threat model](https://nextcloud.com/security/threat-model) to know what is expected behavior. |
|||
to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud |
|||
community. |
|||
|
|||
### Bug Bounties |
|||
|
|||
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details |
|||
on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud). |
|||
|
|||
## Existing Security Advisories |
|||
|
|||
Past advisories can be viewed at |
|||
[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories |
|||
). |
|||
|
|||
## Supported Versions |
|||
|
|||
The latest three major release versions of Nextcloud are currently being supported with security updates. |
|||
Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details. |
|||
|
|||
## Additional Information |
|||
|
|||
Please visit https://nextcloud.com/security/ for further information about security. |
|||
Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security. |
|||
Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks. |
Write
Preview
Loading…
Cancel
Save
Reference in new issue