From 59366eebb8f4f5ad87e601aa3947ba54febf68d2 Mon Sep 17 00:00:00 2001
From: Josh Richards <josh.t.richards@gmail.com>
Date: Wed, 18 Oct 2023 11:42:44 -0400
Subject: [PATCH 1/2] SECURITY: Add {links, headings, $, scope, public GH
 Issues notes}

* Add links to various relevant pages (scope, existing security advisories)
* Add request to not report vulnerabilities in public GH issues
* Mention bounty program
* Reorganized and added some new headings

Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
---
 SECURITY.md | 57 +++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 47 insertions(+), 10 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index ee4bdb12ecacd..eea4d06e09d59 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,25 +1,62 @@
 # Security Policy
 
-## Supported Versions
+[Security](https://nextcloud.com/security/) is very important to us. 
 
-The latest three major release versions of Nextcloud are currently being supported with security updates.
-Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
+If you believe you have found a security vulnerability that meets our definition of a security 
+vulnerability, please report is as described below.
+
+## Context
+
+Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what 
+is currently considered a security vulnerability versus expected behavior. And review what is considered 
+[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).
+
+You can expect a response within 24 hours in most cases.
 
 ## Reporting a Vulnerability
 
-Security is very important to us. If you have discovered a security issue with Nextcloud,
-please read our responsible disclosure guidelines and contact us at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
+** **Please do _not_ report security vulnerabilities through public GitHub issues.** **
+
+If you have discovered a security matter with Nextcloud, please read our
+[responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at
+[hackerone.com/nextcloud](https://hackerone.com/nextcloud).
+
 Your report should include:
 
 - Product version
 - A vulnerability description
 - Reproduction steps
+- Any other details you think are likely to be important
+
+### What to Expect
+
+You should receive an initial acknowledgement within 24 hours in most cases.
 
-A member of the security team will confirm the vulnerability, determine its impact, and develop a fix.
-The fix will be applied to the master branch, tested, and packaged in the next security release.
+A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, 
+and coordinate a fix.
+
+The fix will be applied to the `master` branch, tested, and packaged in the next security release.
 The vulnerability will be publicly announced after the release. Finally, your name will be added
-to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud community. Note our 
-[threat model](https://nextcloud.com/security/threat-model) to know what is expected behavior.
+to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud 
+community. 
+
+### Bug Bounties
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details
+on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
+
+## Existing Security Advisories
+
+Past advisories can be viewed at
+[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories
+).
+
+## Supported Versions
+
+The latest three major release versions of Nextcloud are currently being supported with security updates.
+Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
 
+## Additional Information
 
-Please visit https://nextcloud.com/security/ for further information about security.
+Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security.
+Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks.

From 0ded3ad2b20ed0c239a5047960f42e5453b658e0 Mon Sep 17 00:00:00 2001
From: Josh Richards <josh.t.richards@gmail.com>
Date: Fri, 20 Oct 2023 09:03:59 -0400
Subject: [PATCH 2/2] Apply suggestions

Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com>
Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
---
 SECURITY.md | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index eea4d06e09d59..06a96aac0373b 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -11,7 +11,6 @@ Please review our [threat model and accepted risks](https://nextcloud.com/securi
 is currently considered a security vulnerability versus expected behavior. And review what is considered 
 [in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).
 
-You can expect a response within 24 hours in most cases.
 
 ## Reporting a Vulnerability
 
@@ -33,9 +32,9 @@ Your report should include:
 You should receive an initial acknowledgement within 24 hours in most cases.
 
 A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, 
-and coordinate a fix.
+and coordinate the fix and publication.
 
-The fix will be applied to the `master` branch, tested, and packaged in the next security release.
+The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release.
 The vulnerability will be publicly announced after the release. Finally, your name will be added
 to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud 
 community. 
@@ -47,13 +46,13 @@ on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackeron
 
 ## Existing Security Advisories
 
-Past advisories can be viewed at
+Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at
 [https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories
 ).
 
 ## Supported Versions
 
-The latest three major release versions of Nextcloud are currently being supported with security updates.
+Nextcloud Server major release versions are being supported with security updates for 1 year after their initial release.
 Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
 
 ## Additional Information