Update security policy (#9723)

* Update security policy - Explicitly mention the supported versions that will receive security updates. - Added a note about bug bounties (inspired by https://www.python.org/dev/security/). - Link to our advisories instead of duplicating the same information (we could even migrate our past reports there) - Add a SECURITY.md file so GitHub links to it nicely. * Update docs/user/security.rst Co-authored-by: Eric Holscher <[email protected]> Co-authored-by: Eric Holscher <[email protected]>
readthedocs · Nov 9, 2022 · fd1b00d · fd1b00d
1 parent 50608f8
commit fd1b00d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 26 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,3 @@
+# Security Policy
+
+Please see https://docs.readthedocs.io/page/security.html.
diff --git a/docs/user/security.rst b/docs/user/security.rst
@@ -31,6 +31,11 @@ Account security
   or when required for security purposes.
 * You can read more about account privacy in our :doc:`privacy-policy`.
 
+Supported versions
+------------------
+
+Only the latest version of Read the Docs will receive security updates.
+We don't support security updates for :doc:`custom installations </open-source-philosophy>` of Read the Docs.
 
 Reporting a security issue
 --------------------------
@@ -53,36 +58,16 @@ PGP key
 You may use this :download:`PGP key </_static/security/pgpkey.txt>`
 to securely communicate with us and to verify signed messages you receive from us.
 
+Bug bounties
+------------
+
+While we sincerely appreciate and encourage reports of suspected security problems,
+please note that the Read the Docs is an open source project, and **does not run any bug bounty programs**.
 
 Security issue archive
 ----------------------
 
-Version 5.19.0
-~~~~~~~~~~~~~~
-
-:ref:`changelog:Version 5.19.0` fixes an issue that allowed a malicious user to fetch internal and private information from a logged user in readthedocs.org/readthedocs.com by creating a malicious site hosted on readthedocs.io/readthedocs-hosted.com or from any custom domain registered in the platform.
-
-It would have required the attacker to get a logged in user to visit an attacker controlled web page, which could then have made GET API requests on behalf of the user. This vulnerability was found by our team as part of a routine security audit, and there is no indication it was exploited.
-
-The issue was found by the Read the Docs team.
-
-Version 5.14.0
-~~~~~~~~~~~~~~
-
-:ref:`changelog:Version 5.14.0` fixes an issue where that affected new code that removed multiple slashes in URL paths. The issue allowed the creation of hyperlinks that looked like they would go to a documentation domain on Read the Docs (either `*.readthedocs.io` or a :doc:`custom docs domain </custom-domains>`)) but instead went to a different domain.
-
-This issue was reported by Splunk after it was reported by a security audit.
-
-Version 3.5.1
-~~~~~~~~~~~~~
-
-:ref:`changelog:Version 3.5.1` fixed an issue that affected projects with "prefix" or "sphinx" user-defined redirects.
-The issue allowed the creation of hyperlinks that looked like they would go to a documentation domain
-on Read the Docs (either ``*.readthedocs.io`` or a custom docs domain) but instead went to a different domain.
-
-This issue was reported by Peter Thomassen and the desec.io DNS security project
-and was funded by `SSE <https://www.securesystems.de>`_.
-
+You can see all past reports at https://github.com/readthedocs/readthedocs.org/security/advisories.
 
 Version 3.2.0
 ~~~~~~~~~~~~~
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Security Policy

		Please see https://docs.readthedocs.io/page/security.html.