The Docling team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

The latest versions of Docling are supported.

• Participation in the OpenSSF Best Practices Badge Program for Free/Libre and FLOSS projects to ensure that we follow current best practices for quality and security
• Use of HTTPS for network communication
• Use of secure protocols for network communication (through the use of HTTPS)
• Up-to-date support for TLS/SSL (through the use of OpenSSL)
• Performance of TLS certificate verification by default before sending HTTP headers with private information (through the use of OpenSSL and HTTPS)
• Distribution of the software via cryptographically signed releases (on the PyPI, Quay.io and GHCR.io package repositories)
• Use of GitHub Issues for vulnerability reporting and tracking

• Use of Ruff, ty and Pytest for Python code linting (static and dynamic analysers) on pull requests and builds
• Use of GitHub Issues for bug reporting and tracking

If you think you've identified a security issue in a Docling project repository, please DO NOT report the issue publicly via the GitHub issue tracker, discussions, or any other public forum.

We strongly encourage you to use GitHub's Private Vulnerability Reporting feature, which provides a secure and streamlined process for disclosing security issues:

1. Navigate to the Security tab of the Docling repository
2. Click on "Report a vulnerability"
3. Fill out the vulnerability report form with as many details as possible
4. Submit the report

This method allows for:

• Secure communication directly with the maintainers team
• Coordinated disclosure through GitHub's built-in workflow
• Automatic tracking of the vulnerability lifecycle
• Credit attribution when the vulnerability is published

Alternatively, you can send an email with as many details as possible to deepsearch-core@zurich.ibm.com. This is a private mailing list for the maintainers team.

Important: Please do not create a public issue or discuss the vulnerability in any public channel until it has been addressed.

Each report is acknowledged and analyzed by the core maintainers within 3 working days.

Any vulnerability information shared with core maintainers stays within the Docling project and will not be disseminated to other projects unless it is necessary to get the issue fixed.

After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

We will send announcements of security vulnerabilities and steps to remediate on the Docling announcements.