|
| 1 | +# Security and Disclosure Information Policy for the Docling Project |
| 2 | + |
| 3 | +The Docling team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. |
| 4 | + |
| 5 | +## Supported Versions |
| 6 | + |
| 7 | +The latest versions of Docling are supported. |
| 8 | + |
| 9 | +### Security |
| 10 | + |
| 11 | +- Participation in the [OpenSSF Best Practices Badge Program](https://bestpractices.coreinfrastructure.org/en/projects/10101) for Free/Libre and FLOSS projects to ensure that we follow current best practices for quality and security |
| 12 | +- Use of [HTTPS](https://en.wikipedia.org/wiki/HTTPS) for network communication |
| 13 | +- Use of secure protocols for network communication (through the use of HTTPS) |
| 14 | +- Up-to-date support for TLS/SSL (through the use of [OpenSSL](https://www.openssl.org/)) |
| 15 | +- Performance of TLS certificate verification by default before sending HTTP headers with private information (through the use of OpenSSL and HTTPS) |
| 16 | +- Distribution of the software via cryptographically signed releases on [Maven Central](https://central.sonatype.com/) |
| 17 | +- Use of [GitHub](https://github.com/) Issues for vulnerability reporting and tracking |
| 18 | + |
| 19 | +### Analysis |
| 20 | + |
| 21 | +- Use of GitHub Issues for bug reporting and tracking |
| 22 | + |
| 23 | +## Reporting a Vulnerability |
| 24 | + |
| 25 | +If you think you've identified a security issue in any Docling project repository, please DO NOT report the issue publicly via the GitHub issue tracker, etc. |
| 26 | + |
| 27 | +Instead, send an email with as many details as possible to [deepsearch-core@zurich.ibm.com](mailto:deepsearch-core@zurich.ibm.com). This is a private mailing list for the maintainers team. |
| 28 | + |
| 29 | +Please do not create a public issue. |
| 30 | + |
| 31 | +### Security Vulnerability Response |
| 32 | + |
| 33 | +Each report is acknowledged and analyzed by the core maintainers within 3 working days. |
| 34 | + |
| 35 | +Any vulnerability information shared with core maintainers stays within the Docling project and will not be disseminated to other projects unless it is necessary to get the issue fixed. |
| 36 | + |
| 37 | +After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. |
| 38 | + |
| 39 | +## Security Alerts |
| 40 | + |
| 41 | +We will send announcements of security vulnerabilities and steps to remediate on the [Docling announcements](https://github.com/docling-project/docling/discussions/categories/announcements). |
0 commit comments