Update Security Documents (#2484)

* Update Security Documents

docs/application-security.md

@@ -1,12 +1,27 @@
 # OneDrive Client for Linux Application Security
-This document details the application security used, and provides details for users on changing these security options.
+This document details the following information:
 
+* Why is this application an 'unverified publisher'?
+* Application Security and Permission Scopes
+* How to change Permission Scopes
+* How to review your existing application access consent
+
+## Why is this application an 'unverified publisher'?
+Publisher Verification, as per the Microsoft [process](https://learn.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview) has actually been configured, and, actually has been verified!
+
+### Verified Publisher Configuration Evidence
+As per the impage below, the Azure portal shows that the 'Publisher Domain' has actually been verified:
+![confirmed_verified_publisher](./images/confirmed_verified_publisher.jpg)
+
+* The 'Publisher Domain' is: https://abraunegg.github.io/
+* The required 'Microsoft Identity Association' is: https://abraunegg.github.io/.well-known/microsoft-identity-association.json
+
+## Application Security and Permission Scopes
 There are 2 main components regarding security for this application:
 * Azure Application Permissions
 * User Authentication Permissions
 
-## Default Application Security
-Security options should follow the security principal of 'least privilege':
+Keeping this in mind, security options should follow the security principal of 'least privilege':
 > The principle that a security architecture should be designed so that each entity 
 > is granted the minimum system resources and authorizations that the entity needs 
 > to perform its function.
@@ -28,6 +43,8 @@ As such, the following API permissions are used by default:
 
 ### Default User Authentication Permissions
 
+When a user authenticates with Microsoft OneDrive, additional account permissions are provided by service to give the user specific access to their data. These are delegated permissions provided by the platform:
+
 | API / Permissions name | Type | Description | Admin consent required |
 |---|---|---|---|
 | Files.ReadWrite | Delegated | Have full access to user files | No |
@@ -35,7 +52,7 @@ As such, the following API permissions are used by default:
 | Sites.ReadWrite.All   | Delegated | Have full access to all items in all site collections | No |
 | offline_access   | Delegated | Maintain access to data you have given it access to | No |
 
-When these delegated API permissions are combined, these provide the effective authentication scope for the OneDrive Client for Linux to access your data. The effective 'default' permissions will be:
+When these delegated API permissions are combined, these provide the effective authentication scope for the OneDrive Client for Linux to access your data. The resulting effective 'default' permissions will be:
 
 | API / Permissions name | Type | Description | Admin consent required |
 |---|---|---|---|

docs/privacy-policy.md

@@ -0,0 +1,65 @@
+# Privacy Policy
+Effective Date: May 16 2018
+
+## Introduction
+
+This Privacy Policy outlines how OneDrive Client for Linux ("we," "our," or "us") collects, uses, and protects information when you use our software ("OneDrive Client for Linux"). We respect your privacy and are committed to ensuring the confidentiality and security of any information you provide while using the Software.
+
+## Information We Do Not Collect
+
+We want to be transparent about the fact that we do not collect any personal data, usage data, or tracking data through the Software. This means:
+
+1. **No Personal Data**: We do not collect any information that can be used to personally identify you, such as your name, email address, phone number, or physical address.
+
+2. **No Usage Data**: We do not collect data about how you use the Software, such as the features you use, the duration of your sessions, or any interactions within the Software.
+
+3. **No Tracking Data**: We do not use cookies or similar tracking technologies to monitor your online behavior or track your activities across websites or apps.
+
+## How We Use Your Information
+
+Since we do not collect any personal, usage, or tracking data, there is no information for us to use for any purpose.
+
+## Third-Party Services
+
+The Software may include links to third-party websites or services, but we do not have control over the privacy practices or content of these third-party services. We encourage you to review the privacy policies of any third-party services you access through the Software.
+
+## Children's Privacy
+
+Since we do not collect any personal, usage, or tracking data, there is no restriction on the use of this application by anyone under the age of 18.
+
+## Information You Choose to Share
+
+While we do not collect personal data, usage data, or tracking data through the Software, there may be instances where you voluntarily choose to share information with us, particularly when submitting bug reports. These bug reports may contain sensitive information such as account details, file names, and directory names. It's important to note that these details are included in the logs and debug logs solely for the purpose of diagnosing and resolving technical issues with the Software. 
+
+We want to emphasize that, even in these cases, we do not have access to your actual data. The logs and debug logs provided in bug reports are used exclusively for technical troubleshooting and debugging purposes. We take measures to treat this information with the utmost care, and it is only accessible to our technical support and development teams. We do not use this information for any other purpose, and we have strict security measures in place to protect it.
+
+## Protecting Your Sensitive Data
+
+We are committed to safeguarding your sensitive data and maintaining its confidentiality. To ensure its protection:
+
+1. **Limited Access**: Only authorized personnel within our technical support and development teams have access to the logs and debug logs containing sensitive data, and they are trained in handling this information securely.
+
+2. **Data Encryption**: We use industry-standard encryption protocols to protect the transmission and storage of sensitive data.
+
+3. **Data Retention**: We retain bug report data for a limited time necessary for resolving the reported issue. Once the issue is resolved, we promptly delete or anonymize the data.
+
+4. **Security Measures**: We employ robust security measures to prevent unauthorized access, disclosure, or alteration of sensitive data.
+
+By submitting a bug report, you acknowledge and consent to the inclusion of sensitive information in logs and debug logs for the sole purpose of addressing technical issues with the Software.
+
+## Your Responsibilities
+
+While we take measures to protect your sensitive data, it is essential for you to exercise caution when submitting bug reports. Please refrain from including any sensitive or personally identifiable information that is not directly related to the technical issue you are reporting. You have the option to redact or obfuscate sensitive details in bug reports to further protect your data.
+
+## Changes to this Privacy Policy
+
+We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated Privacy Policy on our website or through the Software. We encourage you to review this Privacy Policy periodically.
+
+## Contact Us
+
+If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us at support@mynas.com.au or via GitHub (https://github.com/abraunegg/onedrive)
+
+## Conclusion
+
+By using the Software, you agree to the terms outlined in this Privacy Policy. If you do not agree with any part of this policy, please discontinue the use of the Software.
+

docs/terms-of-service.md

@@ -0,0 +1,54 @@
+# OneDrive Client for Linux - Software Service Terms of Service
+
+## 1. Introduction
+
+These Terms of Service ("Terms") govern your use of the OneDrive Client for Linux ("Application") software and related Microsoft OneDrive services ("Service") provided by Microsoft. By accessing or using the Service, you agree to comply with and be bound by these Terms. If you do not agree to these Terms, please do not use the Service.
+
+## 2. License Compliance
+
+The OneDrive Client for Linux software is licensed under the GNU General Public License, version 3.0 (the "GPLv3"). Your use of the software must comply with the terms and conditions of the GPLv3. A copy of the GPLv3 can be found here: https://www.gnu.org/licenses/gpl-3.0.en.html
+
+## 3. Use of the Service
+
+### 3.1. Access and Accounts
+
+You may need to create an account or provide personal information to access certain features of the Service. You are responsible for maintaining the confidentiality of your account information and are solely responsible for all activities that occur under your account.
+
+### 3.2. Prohibited Activities
+
+You agree not to:
+
+- Use the Service in any way that violates applicable laws or regulations.
+- Use the Service to engage in any unlawful, harmful, or fraudulent activity.
+- Use the Service in any manner that disrupts, damages, or impairs the Service.
+
+## 4. Intellectual Property
+
+The OneDrive Client for Linux software is subject to the GPLv3, and you must respect all copyrights, trademarks, and other intellectual property rights associated with the software. Any contributions you make to the software must also comply with the GPLv3.
+
+## 5. Disclaimer of Warranties
+
+The OneDrive Client for Linux software is provided "as is" without any warranties, either expressed or implied. We do not guarantee that the use of the Application will be error-free or uninterrupted.
+
+Microsoft is not responsible for OneDrive Client for Linux. Any issues or problems with OneDrive Client for Linux should be raised on GitHub at https://github.com/abraunegg/onedrive or email support@mynas.com.au
+
+OneDrive Client for Linux is not responsible for the Microsoft OneDrive Service or the Microsoft Graph API Service that this Application utilizes. Any issue with either Microsoft OneDrive or Microsoft Graph API should be raised with Microsoft via their support channel in your country.
+
+## 6. Limitation of Liability
+
+To the fullest extent permitted by law, we shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses, resulting from (a) your use or inability to use the Service, or (b) any other matter relating to the Service.
+
+This limitiation of liability explicitly relates to the use of the OneDrive Client for Linux software and does not affect your rights under the GPLv3.
+
+## 7. Changes to Terms
+
+We reserve the right to update or modify these Terms at any time without prior notice. Any changes will be effective immediately upon posting on GitHub. Your continued use of the Service after the posting of changes constitutes your acceptance of such changes. Changes can be reviewed on GitHub.
+
+## 8. Governing Law
+
+These Terms shall be governed by and construed in accordance with the laws of Australia, without regard to its conflict of law principles.
+
+## 9. Contact Us
+
+If you have any questions or concerns about these Terms, please contact us at https://github.com/abraunegg/onedrive or email support@mynas.com.au
+