0440792e4e
Using a dedicated email address with a dedicated PGP key allows to give multiple people access while still keeping things under wrap. A single, private email address as security contact is such a huge bus factor, which we should avoid. Event just a holiday or illness could lead to escalation due to missing replies. Also, in case of potentially severe security issues Nextcloud's security team must have access to all details and communication. This is already given for all issues reported via hackerone.com, and with this change is now also enabled for issues reported by email.
1.0 KiB
Security Policy
Supported Versions
Check our website's download page to see which versions are still supported and will receive security updates.
Reporting a Vulnerability
If you found a security issue or vulnerability of the software, please report it to Nextcloud's HackerOne.
Your report should include clear steps for reproduction and a classification of the found vulnerability.
If you prefer, you can also send an encrypted email message to security [at] roundcube.net. The PGP key's fingerprint is ACFCF63232B79518E632EC4B0127B799F939816F.
Publishing and Credits
We're dedicated to analyze and fix the reported issues as fast a possible. Usually within days we'll have an update ready. Together with the reporter we plan the releasing and the disclosure of the found and fixed vulnerability. Credits to the reporter are granted and can be included in all public communication if desired.