From ccf69cbe6d8afbe86efac42ef62e17fef2f4173a Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 26 Sep 2025 11:19:29 -0400 Subject: [PATCH] refactor(security): Revise security policy for clarity and structure Updated the security policy document to improve clarity and organization, including sections on reporting vulnerabilities and supported versions. Integrated guidance for admins versus reporters. Signed-off-by: Josh --- SECURITY.md | 106 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 66 insertions(+), 40 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 48573c4..7cc19cb 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,69 +3,95 @@ SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors SPDX-License-Identifier: MIT --> -# 💡 TLDR: Report issues at [hackerone.com/nextcloud](https://hackerone.com/nextcloud) +# Security Policy -# Security Policy +## 💡 TLDR: Report security issues at [hackerone.com/nextcloud](https://hackerone.com/nextcloud) -[Security](https://nextcloud.com/security/) is very important to us. +### Found a security bug in Nextcloud? Let's get it fixed! -If you believe you have found a security vulnerability that meets our definition of a security -vulnerability, please report is as described below. +If you believe you have found an issue that meets our +[definition of a security vulnerability](https://nextcloud.com/security/threat-model), +we encourage you to let us know right away. Please use the reporting process described below. -## Context +| If you are a... | See section... | +|-------------------------|---------------------------------------------------------------------------------------| +| Security Researcher | [How to Report a Vulnerability](#how-to-report-a-vulnerability) | +| Nextcloud Admin or User | [Security Advisories](#security-advisories), [Supported Versions](#supported-versions) | -Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what -is currently considered a security vulnerability versus expected behavior. And review what is considered -[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes). +--- +## How to Report a Vulnerability -## Reporting a Vulnerability +**⚠️ Do _not_ report security vulnerabilities through public GitHub issues.** -**⚠️ Please do _not_ report security vulnerabilities through public GitHub issues.** - -If you have discovered a security matter with Nextcloud, please read our -[responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at -[hackerone.com/nextcloud](https://hackerone.com/nextcloud). +Instead, please: +- Review our [responsible disclosure guidelines](https://nextcloud.com/security/) +- Submit your report via [HackerOne](https://hackerone.com/nextcloud) Your report should include: - - Product version -- A vulnerability description -- Reproduction steps -- Any other details you think are likely to be important +- A clear description of the vulnerability +- Steps to reproduce the issue (clear, step-by-step instructions are greatly appreciated) +- Any other details that may assist our investigation + +If you require encrypted communication, please request it in your initial message. + +> **Note:** This process is for confidential reporting of software vulnerabilities only. +> For general support or configuration help, see +> [Nextcloud Support](https://nextcloud.com/support/). -### What to Expect +## What to Expect After Reporting -You should receive an initial acknowledgement within 24 hours in most cases. +In most cases, you should receive an initial response within 24 hours. -A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, -and coordinate the fix and publication. +A member of our security team will: +- Confirm the vulnerability +- Assess its impact +- Follow up with any questions +- Coordinate the fix and public disclosure -The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release. -The vulnerability will be publicly announced after the release. Finally, your name will be added -to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud -community. +We apply, test, and release fixes for all relevant, supported stable branches in the next +security update. Vulnerabilities are publicly announced after the fix is released. As a thank +you, we will add your name to our [Hall of Fame](https://hackerone.com/nextcloud/thanks). -If the vulnerability involves an app that is not maintained by Nextcloud (i.e. hosted by the -Nextcloud project but community maintained, or hosted elsewhere), the security team will try to coordinate with the -current maintainer and help to get the issue fixed in similar fashion. +If your report concerns an app not maintained by Nextcloud (e.g., community-maintained apps +hosted by Nextcloud or hosted elsewhere), our security team will coordinate with the current +maintainer to help resolve the issue in a similar fashion. -### Bug Bounties +## Bug Bounties -If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details -on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud). +If you are interested in a bug bounty, please note that complete, detailed reports can +contribute to higher bounty awards. Details on past bounties are available at +[HackerOne](https://hackerone.com/nextcloud). -## Existing Security Advisories +## Security Advisories -Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at -[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories). +Published advisories for Nextcloud Server, Clients, and Apps are available at the +[Nextcloud Security Advisories](https://github.com/nextcloud/security-advisories/security/advisories) +page. ## Supported Versions -Nextcloud Server major release versions are being supported with security updates for 1 year after their initial release. -Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details. +Each major release of Nextcloud Server receives security updates for one year from its +initial release date. The Nextcloud project typically supports at least the two most recent +major releases. + +To stay protected: +- Ensure your Nextcloud Server is always running a supported major release +- Promptly apply all maintenance releases (these include critical security and functionality + bug fixes) +- Monitor the end-of-life (EOL) date for your major release (after this date, no further + maintenance releases will be published. Upgrading to a newer major release is strongly + recommended.) + +See the +[Maintenance and Release Schedule](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule) +for details. + +--- ## Additional Information -Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security. -Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks. +- [Nextcloud Security Overview](https://nextcloud.com/security/) +- [Threat Model and Accepted Risks](https://nextcloud.com/security/threat-model) +- [Nextcloud Support](https://nextcloud.com/support/)