From e86ba2b85d69f51e1e2951b3e86a72c9d71d0427 Mon Sep 17 00:00:00 2001 From: Josh Richards Date: Thu, 26 Oct 2023 09:19:15 -0400 Subject: [PATCH] Add community/third-party apps note to security policy Just making it match the new global one in nextcloud/.github#241 Signed-off-by: Josh Richards --- SECURITY.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 06a96aac0373b..e8fbee2783727 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,14 +1,14 @@ # Security Policy -[Security](https://nextcloud.com/security/) is very important to us. +[Security](https://nextcloud.com/security/) is very important to us. -If you believe you have found a security vulnerability that meets our definition of a security +If you believe you have found a security vulnerability that meets our definition of a security vulnerability, please report is as described below. ## Context -Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what -is currently considered a security vulnerability versus expected behavior. And review what is considered +Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what +is currently considered a security vulnerability versus expected behavior. And review what is considered [in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes). @@ -31,13 +31,17 @@ Your report should include: You should receive an initial acknowledgement within 24 hours in most cases. -A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, +A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, and coordinate the fix and publication. The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added -to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud -community. +to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud +community. + +If the vulnerability involves an app that is not maintained by Nextcloud (i.e. hosted by the +Nextcloud project but community maintained, or hosted elsewhere), the security team will try to coordinate with the +current maintainer and help to get the issue fixed in similar fashion. ### Bug Bounties @@ -47,8 +51,7 @@ on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackeron ## Existing Security Advisories Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at -[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories -). +[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories). ## Supported Versions