Merge pull request #3641 from davidfischer/update-security-docs

Update RTD security docs
readthedocs · Feb 22, 2018 · 6317e06 · 6317e06
2 parents 382c593 + ae6b6b5
commit 6317e06
Show file tree

Hide file tree

Showing 5 changed files with 98 additions and 41 deletions.
diff --git a/docs/index.rst b/docs/index.rst
@@ -104,6 +104,7 @@ Information about development is also available:
    settings
    i18n
    issue-labels
+   security
    api/index
 
 .. _business-docs:

diff --git a/docs/security.rst b/docs/security.rst
@@ -0,0 +1,89 @@
+Security
+========
+
+Security is very important to us at Read the Docs. We are committed to responsible reporting and disclosure of security issues.
+
+Reporting a security issue
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you believe you've discovered a security issue at Read the Docs, please contact us at **security@readthedocs.org** (optionally using our :ref:`pgp-key`). We request that you please not publicly disclose the issue until it has been addressed by us.
+
+You can expect:
+
+* We will respond acknowledging your email typically within one business day.
+* We will follow up if and when we have confirmed the issue with a timetable for the fix.
+* We will notify you when the issue is fixed.
+* We will add the issue to our :ref:`security issue archive <security-issue-archive>`.
+
+.. _pgp-key:
+
+PGP key
+~~~~~~~
+
+You may use this `PGP key`_ to securely communicate with us and to verify signed messages you receive from us.
+
+.. _PGP key: https://pgp.mit.edu/pks/lookup?op=vindex&search=0xFEEF9FC2DD21D271
+
+::
+
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    Comment: GPGTools - http://gpgtools.org
+
+    mQINBFqNz1ABEADvgtp3LT1pV5wuTyBPaKrbWBFj10eKyQ15wfgyc2RR6Ix5QnBo
+    6BcJ4fpgBhSwlngsrm0WU5kI/jH7ySwzbDpYCRiLvGJx+pEYLuBBOSm6r5M1N+FV
+    xq3ShT4mHXhwPS1mKf9Xe+KlMdYa2e5TlBEr+TxGAmFFrOLjPxw6IDHgP3MVidr2
+    iHA2PAATl6H9ZYvNzLkI2sP7h0V1/ADd43YpAK4yk6gdVjype5ez8lmoxDKNabMt
+    dSfdOup8zy/fbC5KlxqrT9hHBkYfQWDLWXWcDW111q+ZvncujCrpONaY86bcQ3nn
+    QgkeWCwj254vvqsrygEU93reC2onWaROUKoLlX1/1m2k2X3qze/hJRFZaljXVPKH
+    jV/5q88EbjSUDgY5v9mdX8jhJAukx9HkOFdkMSh3RBgu1r+UPnCNd9K4T2nN0LBL
+    c9NTG0HW7Di5ivEVq74SqDIeiVeOrfY/B6pRuUm/kNPcvZ+ZQPeNk6JUMqEemO9Q
+    h0VHSkgkhCPWPO9c9wWJz7O6y6vXgsFG7BZg7mTVOiKbdgneGo/rKRvuBlQ7hCvP
+    PklwyRn90SJSgv7NF6HMm4TA1R9mzp+90oXjrDXARXmGTsPtcDXFv7xqpK1+Mfcn
+    ajEJYdIRNWVgx0E2RzHRipdG5MIQ5Plf4/GasVHl71nMGY06oIu1T+44MQARAQAB
+    tFpSZWFkIHRoZSBEb2NzIFNlY3VyaXR5IFRlYW0gKGh0dHBzOi8vcmVhZHRoZWRv
+    Y3Mub3JnL3NlY3VyaXR5LykgPHNlY3VyaXR5QHJlYWR0aGVkb2NzLm9yZz6JAk4E
+    EwEIADgWIQRq+P453S2vjKvMbGn+75/C3SHScQUCWo3PUAIbAwULCQgHAgYVCgkI
+    CwIEFgIDAQIeAQIXgAAKCRD+75/C3SHScYMMD/4z0TN08oJ57Krg+UODXPsT9U3l
+    8fyKHhe6fJCTt5GQiWwBbkfa4M0YcxemIJGdgF1DpdSteWIL0tCwXbxHph+keYlg
+    z+EmF+W7OlnwbmtDx/Rj9VNdzf636DkMusTQzYEB/+FdN4LtMVq7Al4CZ2Ca82F8
+    h0TLceh2bRgNjeWPuAMj7kS8tw3D9LmYA8d8Lv2c2jN7ba9p+QNKdSa4ErdJ0kbz
+    CSFcABPfc+LlYWFbm5j1ggzTONgR9R27mpAGMAtgSeAtxXLU0sQfLtCNaVkRyJ3C
+    s0awUvJCuq11YUPjz4HAcTWM4baAxK5LliEDOdaOlTK0q8T0sPP+SWt5JRL6/Xc3
+    SwaXnVfzzZyeaSmRGEHmGQYBTB3WMUcH1RNH6uhNPCF4x3t0jOHWP7Eka4B9IdfE
+    cd+GDwqTKCHyddh8yUzTrmlSbdO7iuel6WVN0Xo1xzVrLUKpgDvB0UuPQXlxDLUc
+    WVrKv9rcyDVGVpDjQSQ4l191NDzlfzmDFkZ69Qe3E5Ir8oWBCMtHX3C99ocIcbR3
+    3mqOio2/QQCJzrMOWxgauF/q4JMKQRj5Qq8US2U32xlPzB8O09z1e3kUOEy4gbwE
+    6LVMj6vxJqjV8/4AOcocGgJKLLC9nqhf2sq5zA4TjI7lI25pgDDYozaLF2ss5nk3
+    t9hQmI5Q0MXGSsflAbkCDQRajc9QARAA30mNh2QaDVLcHEfJ9QKfqRfY3ddG6s6F
+    AHLR7mQ2tmO7ygzxgEcM7+7W+lmc9L+mZ5WutK5PIae/MpAgOo220079aW3em2sz
+    +dIHdSE7CaajUahQaPqLY6W0bbZloGGDetPtOMKBTI1HtSNyKIsULsbyUA1SsEFn
+    aWtOof1MqqVQvYDwwwRj6T+DHtV17yO33v98k01Nx1SSThVY9wQ4MOZDBOAqWhie
+    iboDssrvtVZZihbQ9LM8TH/l81auodBDpp96tgWguzjM4eyutaYZ6ZOLhfVUuEX+
+    gEqqJ7alXfDhh3NZUMHZ0SHVII7u7nqciTo7NS9rxBXfdGlKmC/9Z3ehIXSpCnPY
+    JO42qMjPVM5/QDoeK9BWWX3rXmwnNzqK0D4L7zK/cVnt2q9EqPCUJgOITJWEGc9G
+    crO0ni/8M+BuhO/4MeJJtrPtmq1b1BoeuYBzf1M7ARtnvtC5hLLrtxiy4UANlwSm
+    HFcIEt5UViwEqRuQWr5ZO3mwaJP2R/foDHww7JYEqJ/GFI5RpT+3LWT5FXPC1QvU
+    sbewD+ZmLSfifhC0WUzF002eadgXNyXSZKAirM8+yELM4xZAs0pJVlKVFRnis0OL
+    Wxdzthp2gTg+agtMoz27belxVUEmRK9GDaXi9XtJSooSglt0xlTimgB40nDPniVB
+    4h5S/gHsg8cAEQEAAYkCNgQYAQgAIBYhBGr4/jndLa+Mq8xsaf7vn8LdIdJxBQJa
+    jc9QAhsMAAoJEP7vn8LdIdJxwswP/0oGlxUJZhDG8yCbTTTvxvKXd02AXw/GQKrq
+    ptrLEXbhko6TOuZolEWsRrc1ObMiky97CicqQthg22Kf1K7g2UNlPS4LFtTrPXKL
+    9iJMAgms0a0ul3cHqQh2XiuGc1bfDuGyNe/nE5/uvgpjxg0hvvBH/5xuiaMkf+gZ
+    nJjF2ZcXm6a17MCuAcw/siox1/PeXn0At/wzOWD9qONg+BI/QUynzcSMg/coBe7V
+    hUX1LU02n6laBwuQ6Q0KoD6CP43seYv3JaPyVP7+IkhtH/RDm8q3vs0qLpEBrJIb
+    vBYBXLtyoGHxTkWueou0Ur1j2lLUMqnQkq5NAsckSfHtZEdPDy6T3NHMfVRmnXnW
+    m/GM3BDE7DFe5BBYb+vJS4/JHNDoSpk+jNezaf3hdx9+fh2DIoL84fs1FRRAl3Od
+    6LWPAt3twOQLS0KsQh0GSIZ+zdJf3xvlZ4ixAaPB4iAF8bXYzvsODN3LRQIGhet2
+    NzjD41f5IrAlG/qFiC6s/YLj1DWanLw2nTzSi4x3v0Gc4DEXPebB3KvaNEmqoKGP
+    5aXa9IPbvzEVCX82qjeqCPYAsYVOBQnFEAcnkrQ76363oJTeTHxK7kgewS2YCVyy
+    7wVinR8eyrs+3AWrZ5Op817HgxGvAVDGOEK+1OX9g1wt+IdxX00s85/T+Zk9RF6H
+    wtRaD9li
+    =LjIC
+    -----END PGP PUBLIC KEY BLOCK-----
+
+.. _security-issue-archive:
+
+Security issue archive
+~~~~~~~~~~~~~~~~~~~~~~
+
+It's only a matter of time...
diff --git a/readthedocs/templates/security.html b/readthedocs/templates/security.html
@@ -2,50 +2,14 @@
 
 {% load i18n %}
 
-{% load pagination_tags %}
-
-{% block title %}Security{% endblock %}
+{% block title %}{% trans 'Security' %}{% endblock %}
 
 {% block content %}
 
-Please email <a href="mailto:eric@ericholscher.com">eric@ericholscher.com</a> in the event of a security flaw discovered in Read the Docs. 
-
-You can sign your message with the following <a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71337C3047A1B066">GPG key</a>:
-
-<pre>
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: SKS 1.1.0
+<h2>{% trans 'Security at Read the Docs' %}</h2>
 
-mQENBE/U7XsBCADPGU00RobDzUzbrfbNHSY/KTr1qI1ZxYUxtp9k/lScTWa/zerbYQQrLdwd
-kQDh/qi7t/hoxW2rL63YOoX4Da80d7C3sfNq9Z3hPo1GY2cQnwmtkRr2dNzATm95U5cTFAt2
-SdxScxzZvPpTKukFRye+SExqQDKVAfZ/Ojt6tRFSky2dTIb0pWvu10vRwD4yNgV8ru8SOKtj
-JNMecyrlvhzdIb1FE1rV7KCPx7EIwf3GQqCFW1sMM3GJBLOtXH5CKsqhxri9pTsLgWMC4ESO
-QrX/ZFxlwmKbcvoaOWxNSR8wgu5NX6rScvcynDEe7xPH5wDVqgBXJJodvLtQLPWX4GZ3ABEB
-AAG0JUVyaWMgSG9sc2NoZXIgPGVyaWNAZXJpY2hvbHNjaGVyLmNvbT6JATwEEwECACYFAk/U
-7XsCGy8FCQeGH4AGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBxM3wwR6GwZnm9CADO171A
-H/nYyNAaaTufxEyvvxFL9DrCgZYD2rilfvXkh8+tRVEnA0HM8/5rr/KzfqT/EEKEmVDtrB1o
-hTXzLfE+ZsBqngEfp94/F4Fd/5fXM5DAKkZEIlHeOGpeD10m21nJoJ+uBxJZyoLyVd2FJhJv
-mJ1/ZBkdJS5odvUwgRbPZyseA9Ozff0Vdm303eXYZpIVSsTtuTsYg5A1/Mwa0BgIeo9Ml91O
-6MDCBrGmyb3NfkdEIcviF5zd3yb8331AwMGNJ+HA6u7oLgrPvpONfZxFwiOhfB2VSRBf4zfp
-gzw/8LyxaXlADnoLAefP8AbtQPUg+HRV/KeggsW8aM4J55RUuQENBE/U7XsBCACxj756cjlj
-cA6ivrB9NwXAna19ID7r/fKFBnZG94CPskH5FdXczNtxEeQe/LwxkjbAhVT2TYpHAt+yJphl
-8RbeC+KCtoqyJNDKHc9eGNAnCHpjtUMt+UTnx9lf5M209Z6EFmlGRo8QaiJ4Y7mH9T+E9OyT
-cp/iLhct2Rj4uKXwkn69YrSqpHYPTN8SbnKeRObmOT56ufLnvsPT6j+dhCURHDuJeVGBDyrX
-yki+yrqY/Bdvf+u3mpXUNBOkvzJSSYw0frZxkf2fV6hrfqw4ox+RH7UoMAq2snWj7soxmY0m
-1wKjmekV6AG0w5ZDLJKcN8i0BvxesSWlynQJQUm1vGA7ABEBAAGJAkQEGAECAA8FAk/U7XsC
-Gy4FCQeGH4ABKQkQcTN8MEehsGbAXSAEGQECAAYFAk/U7XsACgkQCbrTGsxPhhhxigf/Y5a+
-se1foq4lV5PCmUip+W34LBfEpaZaTWwxLzK35pgeS3f3cWe7ljohMA6qEuS5pksqjpdMYZrj
-hHihCTh7lu+gwdcf3I5rXKvtdoqz16NRl4E//RZ0tBvGTTeQgtFNp/Lom1QDnPM64W5bTinQ
-G1yUNiNGDi2k7IdzHL1iLtwpZsyiWDpAl8m0BDhpPLGfTzx3DI73AJFz7eevfSeGpAGHRcCS
-czyA6Ts2UY1clurITvTis4h3OKMqavtU7qN4/OehRxdEnbuzW/NPtJ+rar3oyzdPmsT+TkcN
-TTEM/sCrpjWJUa5hF4mqchEEudtmCWyoP5Av9nsn6vF9XjmxaPPRCAC5OAreWwNTcCfAkBtd
-nZLuHxPO4QnA0VEH5A4uCveH7x4CiSLRLJw0j76KRTjL23KNceW3Xs4uha7k7Xkq+uzmy2A6
-PoMsnhoVmOjh49Iq7vb8gv7WJvhUusGEFnLiD4chYIptdPiV3FuYHdQ/352fwh3DYgLRz9+A
-MSfdxN6HfgqPM8Coef0gh+8OstnWJpWBpE6kX8NJw5sZ8aJM8bZDhWro9tg0DVLE1SZ9GiuV
-HxVDrjba92q09KkdVvgifbXzlzsc4bnh+BWjpOkYKH39Q4LuQUySJLWlSkYHUKLpCnlrYfo/
-luSpsAyzljd2WIX4OVtbOodsJeBYutS2AxBO
-=yZOS
------END PGP PUBLIC KEY BLOCK-----
-</pre>
+{% blocktrans %}
+  For more details on security at Read the Docs or to report a security issue, please see our <a href="https://docs.readthedocs.io/en/latest/security.html">security policy</a>.
+{% endblocktrans %}
 
 {% endblock %}
diff --git a/readthedocs/templates/security.txt b/readthedocs/templates/security.txt
@@ -0,0 +1 @@
+Policy: https://docs.readthedocs.io/en/latest/security.html
diff --git a/readthedocs/urls.py b/readthedocs/urls.py
@@ -34,6 +34,8 @@
     url(r'^$', HomepageView.as_view(), name='homepage'),
     url(r'^support/', SupportView.as_view(), name='support'),
     url(r'^security/', TemplateView.as_view(template_name='security.html')),
+    url(r'^.well-known/security.txt',
+        TemplateView.as_view(template_name='security.txt', content_type='text/plain')),
 ]
 
 rtd_urls = [