Add "no public GH Issues please" request, past advisories link, bounty mention, scope link to security.md

SECURITY.md

@@ -1,25 +1,62 @@
 # Security Policy
 
-## Supported Versions
+[Security](https://nextcloud.com/security/) is very important to us. 
 
-The latest three major release versions of Nextcloud are currently being supported with security updates.
-Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
+If you believe you have found a security vulnerability that meets our definition of a security 
+vulnerability, please report is as described below.
+
+## Context
+
+Please review our [threat model and accepted risks](https://nextcloud.com/security/threat-model) to learn what 
+is currently considered a security vulnerability versus expected behavior. And review what is considered 
+[in scope or bounty eligible](https://hackerone.com/nextcloud/policy_scopes).
+
+You can expect a response within 24 hours in most cases.
 
 ## Reporting a Vulnerability
 
-Security is very important to us. If you have discovered a security issue with Nextcloud,
-please read our responsible disclosure guidelines and contact us at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
+** **Please do _not_ report security vulnerabilities through public GitHub issues.** **
+
+If you have discovered a security matter with Nextcloud, please read our
+[responsible disclosure guidelines](https://nextcloud.com/security/) and contact us at
+[hackerone.com/nextcloud](https://hackerone.com/nextcloud).
+
 Your report should include:
 
 - Product version
 - A vulnerability description
 - Reproduction steps
+- Any other details you think are likely to be important
+
+### What to Expect
+
+You should receive an initial acknowledgement within 24 hours in most cases.
 
-A member of the security team will confirm the vulnerability, determine its impact, and develop a fix.
-The fix will be applied to the master branch, tested, and packaged in the next security release.
+A member of the security team will confirm the vulnerability, determine its impact, follow-up with any questions, 
+and coordinate a fix.
+
+The fix will be applied to the `master` branch, tested, and packaged in the next security release.
 The vulnerability will be publicly announced after the release. Finally, your name will be added
-to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud community. Note our 
-[threat model](https://nextcloud.com/security/threat-model) to know what is expected behavior.
+to the [hall of fame](https://hackerone.com/nextcloud/thanks) as a thank you from the entire Nextcloud 
+community. 
+
+### Bug Bounties
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Details
+on past bounty ranges can be found at [hackerone.com/nextcloud](https://hackerone.com/nextcloud).
+
+## Existing Security Advisories
+
+Past advisories can be viewed at
+[https://github.com/nextcloud/security-advisories/security/advisories](https://github.com/nextcloud/security-advisories/security/advisories
+).
+
+## Supported Versions
+
+The latest three major release versions of Nextcloud are currently being supported with security updates.
+Please visit https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule for further details.
 
+## Additional Information
 
-Please visit https://nextcloud.com/security/ for further information about security.
+Please visit [https://nextcloud.com/security/](https://nextcloud.com/security/) for further information about Nextcloud security.
+Please visit [https://nextcloud.com/security/threat-model](https://nextcloud.com/security/threat-model) for our threat model and accepted risks.