We actively support the following versions of Doctra with security updates:
| Version | Supported |
|---|---|
| 0.5.x | ✅ |
| 0.4.x | ✅ |
| < 0.4 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in Doctra, please report it responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them privately by emailing:
When reporting a security vulnerability, please include:
- Description: A clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact: Potential impact and severity assessment
- Affected Versions: Which versions are affected
- Proof of Concept: If applicable, include a minimal proof of concept
- Suggested Fix: If you have ideas for fixing the issue
- Acknowledgment: We will acknowledge receipt within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Resolution: We will work to resolve critical vulnerabilities within 30 days
- Updates: We will provide regular updates on our progress
- Confirmation: We will confirm receipt of your report
- Investigation: We will investigate the reported vulnerability
- Fix Development: We will develop and test a fix
- Release: We will release a security update
- Credit: We will credit you in our security advisories (unless you prefer to remain anonymous)
When using Doctra, please follow these security best practices:
- Never commit API keys to version control
- Use environment variables for sensitive configuration:
import os # Good api_key = os.getenv('OPENAI_API_KEY') # Bad - never do this api_key = "sk-your-actual-api-key-here"
- Rotate API keys regularly
- Use least-privilege access for API keys
- Validate input files before processing
- Be cautious with untrusted PDFs - they may contain malicious content
- Use sandboxed environments for processing unknown documents
- Clean up temporary files after processing
- Use HTTPS for all API communications
- Verify SSL certificates when making API calls
- Consider using VPNs for sensitive document processing
- Validate all inputs thoroughly
- Use parameterized queries for database operations
- Sanitize user inputs before processing
- Implement proper error handling without exposing sensitive information
- Keep dependencies updated regularly
- Use dependency scanning tools to identify vulnerabilities
- Review dependency licenses for compatibility
- Implement file size limits to prevent DoS attacks
- Validate file types before processing
- Use secure temporary directories for file operations
- Clean up resources properly
Doctra processes various document types, which presents unique security considerations:
- Malicious PDFs: PDFs can contain embedded JavaScript or other executable content
- Metadata: PDFs may contain sensitive metadata
- File Size: Large files can cause memory issues
- Image-based attacks: Malicious images can exploit image processing libraries
- Memory consumption: Large images can cause out-of-memory errors
- Format validation: Ensure images are in expected formats
- Rate limiting: Implement rate limiting for API calls
- Authentication: Use proper authentication for API services
- Data transmission: Ensure sensitive data is encrypted in transit
# Use environment variables for sensitive data
import os
from pathlib import Path
# Secure configuration
API_KEY = os.getenv('VLM_API_KEY')
TEMP_DIR = Path(os.getenv('TEMP_DIR', '/tmp/doctra'))
MAX_FILE_SIZE = int(os.getenv('MAX_FILE_SIZE', '100MB'))def validate_pdf_file(file_path: str) -> bool:
"""Validate PDF file for security."""
# Check file size
if os.path.getsize(file_path) > MAX_FILE_SIZE:
raise ValueError("File too large")
# Check file type
if not file_path.lower().endswith('.pdf'):
raise ValueError("Invalid file type")
# Additional validation...
return Trueimport tempfile
import shutil
from pathlib import Path
def safe_process_pdf(pdf_path: str):
"""Process PDF in a secure manner."""
with tempfile.TemporaryDirectory() as temp_dir:
temp_path = Path(temp_dir) / "input.pdf"
shutil.copy2(pdf_path, temp_path)
try:
# Process the file
result = process_file(temp_path)
return result
finally:
# Cleanup is automatic with TemporaryDirectory
pass- Immediate Response: Critical vulnerabilities receive immediate attention
- Patch Development: We develop and test security patches
- Release Process: Security updates are released as soon as possible
- Communication: We communicate security updates through:
- GitHub releases
- Security advisories
- Email notifications (for critical issues)
To stay informed about security updates:
- Watch the repository for security-related releases
- Subscribe to notifications for security advisories
- Follow our documentation for security best practices
- Update regularly to the latest version
- Dependency Scanning: Use tools like
safetyorpip-audit - Code Analysis: Use tools like
banditfor Python security analysis - File Validation: Validate file types and sizes before processing
# Check for known vulnerabilities in dependencies
pip install safety
safety check
# Analyze code for security issues
pip install bandit
bandit -r doctra/
# Audit dependencies
pip install pip-audit
pip-auditFor security-related questions or concerns:
- Email: boukhrisadam98@gmail.com
- GitHub: AdemBoukhris457
- Issues: Use GitHub Issues for non-security related questions
We appreciate the security researchers and community members who help keep Doctra secure by responsibly reporting vulnerabilities.
This security policy is part of the Doctra project and is subject to the same Apache License 2.0 terms as the main project.