Introduce security@roundcube.net as security contact (#9694)

Using a dedicated email address with a dedicated PGP key allows to give multiple people access while still keeping things under wrap. A single, private email address as security contact is such a huge bus factor, which we should avoid. Event just a holiday or illness could lead to escalation due to missing replies. Also, in case of potentially severe security issues Nextcloud's security team must have access to all details and communication. This is already given for all issues reported via hackerone.com, and with this change is now also enabled for issues reported by email. (cherry picked from commit 0440792)
roundcube · Nov 6, 2024 · fc6c34b · fc6c34b
1 parent 893c557
commit fc6c34b
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -6,11 +6,12 @@ Check our website's [download page](https://roundcube.net/download/) to see whic
 
 ## Reporting a Vulnerability
 
-If you found a security issue or vulnerability of the software, please report with direct and encrypted email to *thomas[at]roundcube.net*
-and *alec[at]alec.pl*. You can find the according PGP public keys on the major public keyservers like [pgp.key-server.io](https://pgp.key-server.io).
+If you found a security issue or vulnerability of the software, please report it to [Nextcloud's HackerOne](https://hackerone.com/nextcloud).
 
 Your report should include clear steps for reproduction and a classification of the found vulnerability.
 
+If you prefer, you can also send an encrypted email message to `security [at] roundcube.net`. The [PGP key](https://roundcube.net/download/security.roundcube.net.pub)'s fingerprint is `ACFCF63232B79518E632EC4B0127B799F939816F`.
+
 ## Publishing and Credits
 
 We're dedicated to analyze and fix the reported issues as fast a possible. Usually within days we'll have an update ready.