forked from owncloud-archive/owncloud.org
/
page-security.php
137 lines (134 loc) · 7.65 KB
/
page-security.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
<?php get_template_part('templates/parts/title'); ?>
<div class="sub-nav"><a href="/security/advisories">Security Advisories</a> | <a href="/security/hall-of-fame">Hall of Fame</a></div>
<div class="row">
<div class="span12">
<p><div class="alert alert-danger"><strong>Heads up!</strong> We appreciate every report, however, please notice that our team is very busy and therefore won't respond to reports which we rate as "low" severity or invalid (e.g. DoS in Apache or "X-Powered-By" headers). So do us and yourself a favor: Don't report such things, we will not take them into consideration.</div></p>
<p>If you've discovered a security issue with ownCloud, please read our responsible disclosure policy and contact <strong>security (at) owncloud (dot) com</strong>. Your report should include:
<ul>
<li>Product version</li>
<li>A vulnerability description</li>
<li>Reproduction steps</li>
</ul>
A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. The fix will be applied to the master branch, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added to the <a href="/security/hall-of-fame">hall of fame</a> as a thank you from the entire ownCloud community.</p>
<h3>PGP Key for Submissions</h3>
In order to facilitate secure submission of security issues, we provide the following PGP key for confidential submission:
<ul>
<li>Key ID: <code>61709BEF</code></li>
<li>Fingerprint: <code>491F D927 C0D9 E24E 8AD7 C167 DC3F 85FE 6170 9BEF</code></li>
<li>Expires: <code>2018-02-11</code></li>
</ul>
<div class="alert alert-danger"><strong>Note: </strong>Make sure to not disclose details in the subject, as it will not be encrypted!</div>
<h3>Full Public Key for Import</h3>
<pre class="prettyprint linenums">
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
mQINBFL6jmUBEACgcW+ZvbeHclnQYaEmHNNjaWL6kVznzeULzQKNvzZz7uW3kb8f
dNRfkvbY0+/YhOutA5XcPlPEqG9FDXI7N4BC/TbfOp5mdPCgYcQFV18r9vDrcIEA
n2oImo5mj3mgls9PLe7liilaa/nuVrL8ZRdEa8nR20c8I68qdJ5mMpUTCvWwRSA8
vdHKwK5rd8N7YgjI/g345KIUDS+pxEAINUhskKH8jcsx+mfrHGYXiLZz2BOztuVA
VF2PraVOBZ6vaXFJxIfNTPK+556FtzaLW4iLEAYRH29j9HLlgTnM83oTSuxx+9tH
zNzT7Asow/runkkqSPA+03DfsE/OqVp3NievT16TWn/2P0MSC2uO0B++ztuk+6+O
j13Er3aZ2r78qccUCXe8LANzVDcn8jhLZ5TkxwKLSUwwOpI50znzi8OdZs1+wEJm
Kd2eJ+6QCeGOYZcxX+7ckOOnOY6peiB+Z5bztedUhOisA9/B0bQQ4LODgETubQx8
1vZsvbjEvrXdvEFWK8sKTGAhdQS5QRaZh3ygwHuF+Wq1xh/IT8iwFmA9amwQDdci
1NRyBJIJ9ZYqFG4ekPI3FrSUoql7VdKKxLAL4u3E/ATwCfxLPamCEg7kFlexJcxL
slPopAgZqmikzkM4yEzfNTQKqUMgENqeyfahT43nuw7SRNyprPJMhC9UBQARAQAB
tC5vd25DbG91ZCBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBvd25jbG91ZC5jb20+
iQI+BBMBAgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCUvqmCAUJA8J+
oAAKCRDcP4X+YXCb7w01D/9Vs6B6FSAuCoRaUkrnkCend+G5qq5z8hyaSvGxTYN1
DFIiUeNdX0u2ij7jk2cBeU/KoQlpXbzese2u4aNg/+z6/nG7F1ETzLAGmSci2sOB
9RTtLwRLChFwNkCxSa9fH2HkYVEYt9Zmbu4uLULWQwcWyoELUJfhcGGoGJgvmsMo
q5ykbhZIYK7AKuOmPt3LAuh2DSv5qVriszqiPGnTwuzn1WeAKMhtbK3sWt5amW/n
5F6UyKkjon0ksuQlcW58J9IJgXBkZur8XfzqwFDEjrONRkmEPGafmbmmT/3QPMty
ZH5rVSJjZND624yYn4R6dM/u8sQ5e2cOjSeIe8TZLh9z1ZJy01CSgVtjAdOL8zkM
GD0chmyshJxSe1TDin4BV1nKa5OnDEWXsOsYKQAUoKZrToTRX9DDGST2neHZwBkT
LCeRjnWRmKrmtuhJmSpJZA1ONM0hjKyThCQRWejb6VykQUOPTKmLp43/iCiyu+qF
IPRynjGQjz5kvZ5P/mGf1K8fHo1nZO6V+2d6/tsG1mVzHMO4dnR0Vbe6bJwNa4RE
eQJqOzkZF7DJREiGYJ9BZ+RnL7quaYnMPmfdIAcfdi2nBaeF8z1E4htMjTWjPzaa
hXKc6iphY/DZ1SH8lT8sMrzMC/h49ypFI1CCP1Y/lJZjM4uY6LJ/hFdIILq8jber
bIkCHAQQAQIABgUCUvqZEgAKCRBw4cWGP3MIuVLhEACSCKTrPs3qTqdnrYFL26QN
BbIT7pBQV0JKChSqjKcYLEXHaBLA+OekwImvcCXI1AqXFmVkRPs6BEodbh5dBknn
4JMIVIMdCYTPluxZweVmOCbrBOXJARr76adeEntp5RjsIh95nAYV+7S6eQDj3d0s
VDLMU1H6hw5+vMYIYcWMG99drDEKvGhJpGIdflcp+Zn2CEwgh81qFBSeRKOQwZji
gP/olGq7YalX5jdEBF6cons0FjOa66fWUs9YHk3a9EbhQL5kP1AWDxYIk86b8ci/
IiTtKXK6REN5Q0OyZWIj6NRC0d2IUEZlLhoHnVEE8GaTewqwKIudQrXVgYuPoaK/
MSTNGSM/VIhZZGlPpVYKP0vd5efWuLTvEAfXyoKCDcarHws7i4wNrknUWrObzAMC
GzPf3DitNSHElQ8qzHk9cvDm+sQovgYNus3eoZG19d6L36cHmAzBawtzvGC+V1jn
dAW1izJm8WE9MuagoWdFpQFMKT18Ksorta3v2SXOXp3DRQgGS2N8Gr9dgzdchPrs
OLUFmFfzphYcCebvxMczpYS2V9lhA3Od3T/qfLXgLVBcbn188tHbzhuMnZ6DQBe5
aKMkOAptZLWJjOcIPybpiC12T/pus13d6e/bWj6OSrTiB5QuE0Pk7ZkSaP1urttd
c0/lyn4BP8VdgJn9Jp7OjokCHAQQAQIABgUCUvqc3QAKCRDCsO4ZVkdZS2SCD/45
U9kZ5MrJRYpBRV9Vz0s183L34+s0yoRAPNJJpYH0E4DB5gfhNei5EqHG4XOsogAt
ubgyj/dEBB4jbfqadXn78TkAAyKh58z1uUDRl+Sd66S6J2PRbLgG6OOv5xWYhENv
esQxn9Z+cxW2gPLGWj/cNBVtgomnXatoaLvLmGlbuoZe7jKpV0qssoPKQ1waX2ny
ev6mrgUyPqgI0oOKIPi/iuWtmmVi3TdJKtwAc9UsYE6XtbrjAMGZr8qkcSTmSQrm
PmFZEm8yAh35Uu8RdWBfY9P0u28sBrXTbOzxlAEwgXPWySfGVn2K0Y0U6GrR3mK+
RfD4BkSpHvcqul/8xOrHPtguv89u+lKc3HkB53NkE4nZsOK6Ymn8+hXZ5X4oOu9o
ZhCAPtTni6cSZ+1dAi5ZeLOvOiff3R+c/ujlMsF1HZ9A8i9R6T49G/qMtGelvg8w
NIryXG0ejaOVlSAy71E3SoXuG96TIRl7XG/IsG7MHyB80A8lsgjF1tiz892JikHI
yKgmgdfYjLEtAyZm6c/RbzSFJgp/vUBB5hhFPTC1D1FE+dXIKXpUIeYRa0PL5A4F
gPjczpDH67J9KNY4TzLsMR8wPzLGuzP3daRUcko/sQP5FXLM1CBU1bUCch9B40Tm
7/y9Qy7diRTiawI6FfDQYeHoLAOk7selnZhDL2nEsrkCDQRS+o5lARAAvqymdbqF
meEzZNkjH0hSLkvUc8DBRpvVMwYsgt7l4U1vB2v0BTnNaQA2gn/DBW9uosPETW1P
ESrRmcH/+wim5opyM3uUrJhDrXReqDmsGijMheKdQTk4d6Fn5mXhhFs9UsBHVZ4+
9bf8JUr7RuYcl2KeHw0rHiDbBbuAPZ9n6mm9ytoAjxQUwjQuw7rXfZZyCr8k0O41
NwGG2eLhr54Prv622Oop73DZuexKiDncV39esv4Zq7itbFJcBmpp5lHCMDAbLzK0
GLfcny7wV0WlGYXSGdYwuPlxqUG0jzuHW+hBfeDA5NowaNcJYfme7w8ywh0g6TN0
fUwI04yOO+JUVvBlHuBwA/zMT2MySF1Gg5vxRnMilRriCaQtfoY2Sby5FPYS0dc8
gv/MDiUBN9ELIbuHBG6B0QdTcgfVjG+Tgf/TOAtUS0BS7ES1/bsW+JoouxZ3z/IR
tvRhnCwdOO6YFt8wk/A3acKJAlQzMYlf3HTHv2hQnAmrLELAaXzSBKNbdC7pDBrO
eP57QKKCEQ3JzLu21REQ5b/xF+bd4H6FPUrlIJPr3hWhL2REDT6Hkn+SfqeZEthW
L891Yh59NiyilehPMgVtX2wCMIBIFqTvX88sYxqhbthsrJUS7SVFAsxuXRBpOViU
cNV73KiBhzldkWxB29/tA7psPk30ORf6YOcAEQEAAYkCJQQYAQIADwIbDAUCUvql
8AUJA8J+dQAKCRDcP4X+YXCb77qWEACQCR5TD20bdDslGEwg6Sa5NXogQyPgTad/
HA3BD4llIEZvUCIRhf6vPuI2+kDg0KR9yC1K/ib+vf0q/4TeAJpVpRH9IoPlkGt4
63RYGYVELOQgXY2NBaHHl5HzC9Nduqg/pnevwr1QSTho1F7AzX/ZPDEqwEK7cz8c
npuxGq9lNXl0WSEzKa5V4qsDxsXqyPv6howMU91gaIIWco04M+0Q3b0lXKo/87HJ
5iK0bNGxwSBwH7YHcNFSW67ElVVzmoUzKZYAc6Ooppd5gQSYWV2cVF3QLUzBxSW2
9npjky285g/N0oqcrKSXuZ3KxTEGsXBQKWAix12KsYrAmDPcsaIZXEarHirMhX+U
bJfjQN31hBh/SD0uvbmiGnPllqqTtcf+f7GfXnY1zoOCywERbjlWE0PIaMB7dPtg
IlZz+e5lAax8CK8YCe9fGts/2pnGqqW690vaZlhlD8ygCQApRT/Ic7mH2A0s8g4S
q3y47vxWXq2B4IlF+hvsS+TGVkE8nmBrDLAaDiR7lbep82Qn7TEnQfqOo1DQTMOQ
2yyajwSPvNn19CuvZ0UELnYGinNGKiwxqNC9bsC+OFhS1nBPdPMjVRs8n8daGpyS
a8eVQJoOwzMlvGVdbZISQingUPPF5nWuLPIY448QVyRTPQSYrrk/3FE8GRb5QaaI
/QvC9dmZvg==
=MbmV
-----END PGP PUBLIC KEY BLOCK-----
</pre>
<h3>Responsible Disclosure Policy</h3>
The ownCloud community asks that you comply with the following guidelines when researching and reporting security vulnerabilities:
<ul>
<li>Only test for vulnerabilities on your own install of ownCloud Server</li>
<li>Confirm the vulnerability applies to a supported product version</li>
<li>Share vulnerabilities in detail only with the security team</li>
<li>Allow reasonable time for a response from the security team</li>
<li>Do not publish information related to the vulnerability until ownCloud has made an announcement to the community</li>
</ul>
<h3>Supported Product Versions</h3>
ownCloud Server:
<ul>
<li>5.0.x</li>
<li>6.0.x</li>
</ul>
ownCloud Desktop Client:
<ul>
<li>1.4.x</li>
<li>1.5.x</li>
</ul>
<h3>Unsupported Product Versions</h3>
ownCloud Server:
<ul>
<li>1.x to 4.x (We strongly suggest to upgrade to the latest release)</li>
</ul>
ownCloud Desktop Client:
<ul>
<li>1.0.x</li>
<li>1.1.x</li>
<li>1.2.x</li>
<li>1.3.x</li>
</ul>
<h3>3rd party apps</h3>
3rd party app security vulnerabilities should also be reported to the security team. The security team is not responsible for the security of these apps, but will attempt to contact the 3rd party app maintainer and then take proper actions.
</div>
</div>