Security is very important to us at Read the Docs. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. In the spirit of transparency, we are committed to responsible reporting and disclosure of security issues.
- Security policy
Read our policy for security, which we base our security handling and reporting on.
Only the latest version of Read the Docs will receive security updates. We don’t support security updates for custom installations of Read the Docs.
Reporting a security issue
If you believe you’ve discovered a security issue at Read the Docs, please contact us at email@example.com (optionally using our PGP key). We request that you please not publicly disclose the issue until it has been addressed by us.
You can expect:
We will respond acknowledging your email typically within one business day.
We will follow up if and when we have confirmed the issue with a timetable for the fix.
We will notify you when the issue is fixed.
We will create a GitHub advisory and publish it when the issue has been fixed and deployed in our platforms.
You may use this
to securely communicate with us and to verify signed messages you receive from us.
While we sincerely appreciate and encourage reports of suspected security problems, please note that the Read the Docs is an open source project, and does not run any bug bounty programs.
Security issue archive
You can see all past reports at https://github.com/readthedocs/readthedocs.org/security/advisories.
Version 3.2.0 resolved an issue where a specially crafted request could result in a DNS query to an arbitrary domain.
This issue was found by Cyber Smart Defence who reported it as part of a security audit to a firm running a local installation of Read the Docs.
Version 2.3.0 resolves a security issue with translations on our community hosting site that allowed users to modify the hosted path of a target project by adding it as a translation project of their own project. A check was added to ensure project ownership before adding the project as a translation.
In order to add a project as a translation now, users must now first be granted ownership in the translation project.