diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index e7b9a93d35..84acb97717 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -1,6 +1,6 @@ -name: Bug report -description: Create a report to help us improve -labels: [ "bug" ] +name: "🐛 Bug report: Nextcloud Android Client" +description: "Submit a report and help us improve the Nextcloud Android Client" +labels: ["bug", "0. Needs triage"] body: - type: checkboxes id: before-posting diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 9eb201ef31..ad8a30caa9 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,5 +1,12 @@ -blank_issues_enabled: false +# SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors +# SPDX-License-Identifier: AGPL-3.0-or-later contact_links: - - name: Community Support and Help - url: https://help.nextcloud.com/ - about: For questions and general help + - name: 🚨 Report a security or privacy issue + url: https://hackerone.com/nextcloud + about: Report security and privacy related issues privately to the Nextcloud team, so we can coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime. + - name: ❓ Community Support and Help + url: https://help.nextcloud.com/ + about: Configuration, webserver/proxy or performance issues and other questions + - name: 💼 Nextcloud Enterprise + url: https://portal.nextcloud.com/ + about: If you are a Nextcloud Enterprise customer, or need Professional support, so it can be resolved directly by our dedicated engineers more quickly diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 13d19caad3..468572c9b6 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -1,20 +1,48 @@ --- -name: Feature request +name: 🚀 Feature request about: Suggest an idea for this project -labels: enhancement - +labels: enhancement, 0. Needs triage --- -### Is your feature request related to a problem? Please describe. + + + + + +### How to use GitHub + +* Please use the 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to show that you are interested into the same feature. +* Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue. +* Subscribe to receive notifications on status change and new comments. + + +**Is your feature request related to a problem? Please describe.** A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -### Describe the solution you'd like +**Describe the solution you'd like** A clear and concise description of what you want to happen. -### Describe alternatives you've considered +**Describe alternatives you've considered** A clear and concise description of any alternative solutions or features you've considered. -### Additional context +**Additional context** Add any other context or screenshots about the feature request here. - -**NOTE:** Be super sure to remove sensitive data like passwords, note that everybody can look here! You can use the Issue Template application to prefill some of the required information: https://apps.nextcloud.com/apps/issuetemplate diff --git a/SECURITY.md b/SECURITY.md index 271b94ec43..b0adf57720 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,25 +4,68 @@ --> # Security Policy -## Supported Versions +# 💡 TLDR: Report issues at [hackerone.com/nextcloud](https://hackerone.com/nextcloud) + +# Security Policy + +[Security](https://nextcloud.com/security/) is very important to us. + +If you believe you have found a security vulnerability that meets our definition of a security +vulnerability, please report is as described below. + +## Context + +Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what +is currently considered a security vulnerability versus expected behavior. And review what is considered +[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes). -Only the latest version is supported. We release every second month a feature release (currently 3.x) and inbetween a bug fix release (3.x.y). ## Reporting a Vulnerability -Security is very important to us. If you have discovered a security issue with Nextcloud, -please read our responsible disclosure guidelines and contact us at [hackerone.com/nextcloud](https://hackerone.com/nextcloud). +**⚠️ Please do _not_ report security vulnerabilities through public GitHub issues.** + +If you have discovered a security matter with Nextcloud, please read our +[responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at +[hackerone.com/nextcloud](https://hackerone.com/nextcloud). + Your report should include: - Product version - A vulnerability description - Reproduction steps +- Any other details you think are likely to be important -A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. -The fix will be applied to the master branch, tested, and packaged in the next bug fix release. +### What to Expect + +You should receive an initial acknowledgement within 24 hours in most cases. + +A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, +and coordinate the fix and publication. + +The fix will be applied to all applicable and still supported stable branches, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added -to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud community. Note our -[threat model](https://nextcloud.com/security/threat-model) to know what is expected behavior. +to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud +community. +If the vulnerability involves an app that is not maintained by Nextcloud (i.e. hosted by the +Nextcloud project but community maintained, or hosted elsewhere), the security team will try to coordinate with the +current maintainer and help to get the issue fixed in similar fashion. -Please visit https://nextcloud.com/security/ for further information about security. +### Bug Bounties + +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details +on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud). + +## Existing Security Advisories + +Published security advisories for the Nextcloud Server, Clients and Apps can be viewed at +[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories). + +## Supported Versions + +Only the latest version is supported. We release every second month a feature release (currently 3.x) and inbetween a bug fix release (3.x.y). + +## Additional Information + +Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security. +Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks.