refactor(security): Revise security policy for clarity and structure and different audiences

SECURITY.md

@@ -3,69 +3,95 @@ SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors
 SPDX-License-Identifier: MIT
 -->
 
-# 💡 TLDR: Report issues at [hackerone.com/nextcloud](https://hackerone.com/nextcloud)
+# Security Policy 
 
-# Security Policy
+## 💡 TLDR: Report security issues at [hackerone.com/nextcloud](https://hackerone.com/nextcloud)
 
-[Security](https://nextcloud.com/security/) is very important to us.
+### Found a security bug in Nextcloud? Let's get it fixed!
 
-If you believe you have found a security vulnerability that meets our definition of a security
-vulnerability, please report is as described below.
+If you believe you have found an issue that meets our 
+[definition of a security vulnerability](https://nextcloud.com/security/threat-model), 
+we encourage you to let us know right away. Please use the reporting process described below.
 
-## Context
+| If you are a...         | See section...                                                                        |
+|-------------------------|---------------------------------------------------------------------------------------|
+| Security Researcher     | [How to Report a Vulnerability](#how-to-report-a-vulnerability)                       |
+| Nextcloud Admin or User | [Security Advisories](#security-advisories), [Supported Versions](#supported-versions) |
 
-Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what
-is currently considered a security vulnerability versus expected behavior. And review what is considered
-[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).
+---
 
+## How to Report a Vulnerability
 
-## Reporting a Vulnerability
+**⚠️ Do _not_ report security vulnerabilities through public GitHub issues.**
 
-**⚠️ Please do _not_ report security vulnerabilities through public GitHub issues.**
-
-If you have discovered a security matter with Nextcloud, please read our
-[responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at
-[hackerone.com/nextcloud](https://hackerone.com/nextcloud).
+Instead, please:
+- Review our [responsible disclosure guidelines](https://nextcloud.com/security/)
+- Submit your report via [HackerOne](https://hackerone.com/nextcloud)
 
 Your report should include:
-
 - Product version
-- A vulnerability description
-- Reproduction steps
-- Any other details you think are likely to be important
+- A clear description of the vulnerability
+- Steps to reproduce the issue (clear, step-by-step instructions are greatly appreciated)
+- Any other details that may assist our investigation
+
+If you require encrypted communication, please request it in your initial message.
+
+> **Note:** This process is for confidential reporting of software vulnerabilities only.  
+> For general support or configuration help, see 
+> [Nextcloud Support](https://nextcloud.com/support/).
 
-### What to Expect
+## What to Expect After Reporting
 
-You should receive an initial acknowledgement within 24 hours in most cases.
+In most cases, you should receive an initial response within 24 hours.
 
-A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions,
-and coordinate the fix and publication.
+A member of our security team will:
+- Confirm the vulnerability
+- Assess its impact
+- Follow up with any questions
+- Coordinate the fix and public disclosure
 
-The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release.
-The vulnerability will be publicly announced after the release. Finally, your name will be added
-to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud
-community.
+We apply, test, and release fixes for all relevant, supported stable branches in the next 
+security update. Vulnerabilities are publicly announced after the fix is released. As a thank 
+you, we will add your name to our [Hall of Fame](https://hackerone.com/nextcloud/thanks).
 
-If the vulnerability involves an app that is not maintained by Nextcloud (i.e. hosted by the
-Nextcloud project but community maintained, or hosted elsewhere), the security team will try to coordinate with the
-current maintainer and help to get the issue fixed in similar fashion.
+If your report concerns an app not maintained by Nextcloud (e.g., community-maintained apps 
+hosted by Nextcloud or hosted elsewhere), our security team will coordinate with the current 
+maintainer to help resolve the issue in a similar fashion.
 
-### Bug Bounties
+## Bug Bounties
 
-If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details
-on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
+If you are interested in a bug bounty, please note that complete, detailed reports can 
+contribute to higher bounty awards. Details on past bounties are available at 
+[HackerOne](https://hackerone.com/nextcloud).
 
-## Existing Security Advisories
+## Security Advisories
 
-Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at
-[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories).
+Published advisories for Nextcloud Server, Clients, and Apps are available at the 
+[Nextcloud Security Advisories](https://github.com/nextcloud/security-advisories/security/advisories) 
+page.
 
 ## Supported Versions
 
-Nextcloud Server major release versions are being supported with security updates for 1 year after their initial release.
-Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
+Each major release of Nextcloud Server receives security updates for one year from its 
+initial release date. The Nextcloud project typically supports at least the two most recent 
+major releases.
+
+To stay protected:
+- Ensure your Nextcloud Server is always running a supported major release
+- Promptly apply all maintenance releases (these include critical security and functionality 
+  bug fixes)
+- Monitor the end-of-life (EOL) date for your major release (after this date, no further 
+  maintenance releases will be published. Upgrading to a newer major release is strongly 
+  recommended.)
+
+See the 
+[Maintenance and Release Schedule](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule) 
+for details.
+
+---
 
 ## Additional Information
 
-Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security.
-Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks.
+- [Nextcloud Security Overview](https://nextcloud.com/security/)
+- [Threat Model and Accepted Risks](https://nextcloud.com/security/threat-model)
+- [Nextcloud Support](https://nextcloud.com/support/)