Skip to content

Commit 30b77c6

Browse files
Extend SECURITY.md's reporting guidelines (#382)
1 parent d73d1e4 commit 30b77c6

1 file changed

Lines changed: 18 additions & 0 deletions

File tree

.github/SECURITY.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,30 @@
11
# Security Policy
22

3+
Python Security Response Team (PSRT) members balance security work against many
4+
other responsibilities. Please be thoughtful about the time and attention your
5+
report requires. Repeated failure to respect this will result in future reports
6+
being rejected, or the reporter being banned from the `python` GitHub organization,
7+
regardless of technical merit.
8+
39
## Reporting a Vulnerability
410

511
Please use [GitHub Security Advisories](https://github.com/python/pymanager/security/advisories) to report potential issues to this project.
612

713
Alternatively, follow [the main security page](https://www.python.org/dev/security/) for alternate ways to report,
814
bearing in mind that eventually we will create a report using GHSA if needed.
915

16+
Reports should be a few sentences describing the vulnerability. Ideally include
17+
a proof-of-concept script that reproduces the issue and provides a clear
18+
indication of whether the vulnerability is still present. Reports must be
19+
plain-text only, including attachments. No PDFs, binaries, notebooks, or other
20+
files that cannot be safely reviewed. If your proof-of-concept depends on a
21+
specially constructed binary file, please include a script to construct it
22+
rather than the file itself. Ideally, include a minimal patch with the mitigation
23+
for the report.
24+
25+
Reports that do not contain a potential security vulnerability (such as spam or
26+
requesting compliance or due-diligence work) will be discarded without a reply.
27+
1028
## Threat Model
1129

1230
Our threat model for the Python install manager makes the following assumptions:

0 commit comments

Comments
 (0)