Add community/third-party apps note to security policy
Just making it match the new global one in nextcloud/.github#241 Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
This commit is contained in:
parent
e98be0a147
commit
e86ba2b85d
21
SECURITY.md
21
SECURITY.md
|
@ -1,14 +1,14 @@
|
|||
# Security Policy
|
||||
|
||||
[Security](https://nextcloud.com/security/) is very important to us.
|
||||
[Security](https://nextcloud.com/security/) is very important to us.
|
||||
|
||||
If you believe you have found a security vulnerability that meets our definition of a security
|
||||
If you believe you have found a security vulnerability that meets our definition of a security
|
||||
vulnerability, please report is as described below.
|
||||
|
||||
## Context
|
||||
|
||||
Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what
|
||||
is currently considered a security vulnerability versus expected behavior. And review what is considered
|
||||
Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what
|
||||
is currently considered a security vulnerability versus expected behavior. And review what is considered
|
||||
[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).
|
||||
|
||||
|
||||
|
@ -31,13 +31,17 @@ Your report should include:
|
|||
|
||||
You should receive an initial acknowledgement within 24 hours in most cases.
|
||||
|
||||
A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions,
|
||||
A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions,
|
||||
and coordinate the fix and publication.
|
||||
|
||||
The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release.
|
||||
The vulnerability will be publicly announced after the release. Finally, your name will be added
|
||||
to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud
|
||||
community.
|
||||
to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud
|
||||
community.
|
||||
|
||||
If the vulnerability involves an app that is not maintained by Nextcloud (i.e. hosted by the
|
||||
Nextcloud project but community maintained, or hosted elsewhere), the security team will try to coordinate with the
|
||||
current maintainer and help to get the issue fixed in similar fashion.
|
||||
|
||||
### Bug Bounties
|
||||
|
||||
|
@ -47,8 +51,7 @@ on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackeron
|
|||
## Existing Security Advisories
|
||||
|
||||
Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at
|
||||
[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories
|
||||
).
|
||||
[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories).
|
||||
|
||||
## Supported Versions
|
||||
|
||||
|
|
Loading…
Reference in New Issue