Merge pull request #18518 from nextcloud/security-polixy

Set up a security policy

SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+The latest three major release versions of Nextcloud are currently being supported with security updates.
+Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
+
+## Reporting a Vulnerability
+
+Security is very important to us. If you have discovered a security issue with Nextcloud,
+please read our responsible disclosure guidelines and contact us at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
+Your report should include:
+
+- Product version
+- A vulnerability description
+- Reproduction steps
+
+A member of the security team will confirm the vulnerability, determine its impact, and develop a fix.
+The fix will be applied to the master branch, tested, and packaged in the next security release.
+The vulnerability will be publicly announced after the release. Finally, your name will be added
+to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud community. Note our 
+[threat model](https://nextcloud.com/security/threat-model) to know what is expected behavior.
+
+
+Please visit https://nextcloud.com/security/ for further information about security.

apps/updatenotification/Makefile

@@ -44,6 +44,7 @@ package: clean build-js-production
 	--exclude=/CONTRIBUTING.md \
 	--exclude=/issue_template.md \
 	--exclude=/README.md \
+	--exclude=/SECURITY.md \
 	--exclude=/.gitignore \
 	--exclude=/.scrutinizer.yml \
 	--exclude=/.travis.yml \

build/files-checker.php

@@ -73,6 +73,7 @@ $expectedFiles = [
 	'remote.php',
 	'resources',
 	'robots.txt',
+	'SECURITY.md',
 	'status.php',
 	'tests',
 	'themes',