mirror of
https://github.com/nextcloud/server.git
synced 2025-01-30 22:37:01 +00:00
0ded3ad2b2
Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
61 lines
2.6 KiB
Markdown
61 lines
2.6 KiB
Markdown
# Security Policy
|
|
|
|
[Security](https://nextcloud.com/security/) is very important to us.
|
|
|
|
If you believe you have found a security vulnerability that meets our definition of a security
|
|
vulnerability, please report is as described below.
|
|
|
|
## Context
|
|
|
|
Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what
|
|
is currently considered a security vulnerability versus expected behavior. And review what is considered
|
|
[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).
|
|
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
** **Please do _not_ report security vulnerabilities through public GitHub issues.** **
|
|
|
|
If you have discovered a security matter with Nextcloud, please read our
|
|
[responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at
|
|
[hackerone.com/nextcloud](https://hackerone.com/nextcloud).
|
|
|
|
Your report should include:
|
|
|
|
- Product version
|
|
- A vulnerability description
|
|
- Reproduction steps
|
|
- Any other details you think are likely to be important
|
|
|
|
### What to Expect
|
|
|
|
You should receive an initial acknowledgement within 24 hours in most cases.
|
|
|
|
A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions,
|
|
and coordinate the fix and publication.
|
|
|
|
The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release.
|
|
The vulnerability will be publicly announced after the release. Finally, your name will be added
|
|
to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud
|
|
community.
|
|
|
|
### Bug Bounties
|
|
|
|
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details
|
|
on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
|
|
|
|
## Existing Security Advisories
|
|
|
|
Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at
|
|
[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories
|
|
).
|
|
|
|
## Supported Versions
|
|
|
|
Nextcloud Server major release versions are being supported with security updates for 1 year after their initial release.
|
|
Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
|
|
|
|
## Additional Information
|
|
|
|
Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security.
|
|
Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks.
|