Skip to content

Commit

Permalink
Merge pull request #41136 from nextcloud/jr-sec-policy-community-apps
Browse files Browse the repository at this point in the history
Update security policy to match new project-wide default one
  • Loading branch information
nickvergessen authored Jan 21, 2024
2 parents af313a7 + e86ba2b commit 6012450
Showing 1 changed file with 12 additions and 9 deletions.
21 changes: 12 additions & 9 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# Security Policy

[Security](https://nextcloud.com/security/) is very important to us.
[Security](https://nextcloud.com/security/) is very important to us.

If you believe you have found a security vulnerability that meets our definition of a security
If you believe you have found a security vulnerability that meets our definition of a security
vulnerability, please report is as described below.

## Context

Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what
is currently considered a security vulnerability versus expected behavior. And review what is considered
Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what
is currently considered a security vulnerability versus expected behavior. And review what is considered
[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).


Expand All @@ -31,13 +31,17 @@ Your report should include:

You should receive an initial acknowledgement within 24 hours in most cases.

A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions,
A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions,
and coordinate the fix and publication.

The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release.
The vulnerability will be publicly announced after the release. Finally, your name will be added
to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud
community.
to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud
community.

If the vulnerability involves an app that is not maintained by Nextcloud (i.e. hosted by the
Nextcloud project but community maintained, or hosted elsewhere), the security team will try to coordinate with the
current maintainer and help to get the issue fixed in similar fashion.

### Bug Bounties

Expand All @@ -47,8 +51,7 @@ on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackeron
## Existing Security Advisories

Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at
[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories
).
[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories).

## Supported Versions

Expand Down

0 comments on commit 6012450

Please sign in to comment.