Security is very important to us at Read the Docs. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. In the spirit of transparency, we are committed to responsible reporting and disclosure of security issues.
All traffic is encrypted in transit so your login is protected.
Read the Docs stores only one-way hashes of all passwords. Nobody at Read the Docs has access to your passwords.
Account login is protected from brute force attacks with rate limiting.
While most projects and docs on Read the Docs are public, we treat your private repositories and private documentation as confidential and Read the Docs employees may only view them with your explicit permission in response to your support requests, or when required for security purposes.
Reporting a security issue¶
If you believe you’ve discovered a security issue at Read the Docs, please contact us at firstname.lastname@example.org (optionally using our PGP key). We request that you please not publicly disclose the issue until it has been addressed by us.
You can expect:
We will respond acknowledging your email typically within one business day.
We will follow up if and when we have confirmed the issue with a timetable for the fix.
We will notify you when the issue is fixed.
We will add the issue to our security issue archive.
You may use this
to securely communicate with us and to verify signed messages you receive from us.
Security issue archive¶
Version 5.19.0 fixes an issue that allowed a malicious user to fetch internal and private information from a logged user in readthedocs.org/readthedocs.com by creating a malicious site hosted on readthedocs.io/readthedocs-hosted.com or from any custom domain registered in the platform.
It would have required the attacker to get a logged in user to visit an attacker controlled web page, which could then have made GET API requests on behalf of the user. This vulnerability was found by our team as part of a routine security audit, and there is no indication it was exploited.
The issue was found by the Read the Docs team.
Version 5.14.0 fixes an issue where that affected new code that removed multiple slashes in URL paths. The issue allowed the creation of hyperlinks that looked like they would go to a documentation domain on Read the Docs (either
*.readthedocs.io or a [custom docs domain](https://docs.readthedocs.io/en/stable/custom_domains.html)) but instead went to a different domain.
This issue was reported by Splunk after it was reported by a security audit.
Version 3.5.1 fixed an issue that affected projects with “prefix” or “sphinx” user-defined redirects.
The issue allowed the creation of hyperlinks that looked like they would go to a documentation domain
on Read the Docs (either
*.readthedocs.io or a custom docs domain) but instead went to a different domain.
This issue was reported by Peter Thomassen and the desec.io DNS security project and was funded by SSE.
Version 3.2.0 resolved an issue where a specially crafted request could result in a DNS query to an arbitrary domain.
This issue was found by Cyber Smart Defence who reported it as part of a security audit to a firm running a local installation of Read the Docs.
Version 2.3.0 resolves a security issue with translations on our community hosting site that allowed users to modify the hosted path of a target project by adding it as a translation project of their own project. A check was added to ensure project ownership before adding the project as a translation.
In order to add a project as a translation now, users must now first be granted ownership in the translation project.