From 067aa9541f9c6981970538dc215fea903d8e69a8 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Wed, 8 Jul 2026 11:56:42 +0200 Subject: [PATCH] Extend `SECURITY.md`s reporting guidelines --- .github/SECURITY.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 11946b8..909cd5c 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -1,5 +1,11 @@ # Security Policy +Python Security Response Team (PSRT) members balance security work against many +other responsibilities. Please be thoughtful about the time and attention your +report requires. Repeated failure to respect this will result in future reports +being rejected, or the reporter being banned from the `python` GitHub organization, +regardless of technical merit. + ## Reporting a Vulnerability Please use [GitHub Security Advisories](https://github.com/python/pymanager/security/advisories) to report potential issues to this project. @@ -7,6 +13,18 @@ Please use [GitHub Security Advisories](https://github.com/python/pymanager/secu Alternatively, follow [the main security page](https://www.python.org/dev/security/) for alternate ways to report, bearing in mind that eventually we will create a report using GHSA if needed. +Reports should be a few sentences describing the vulnerability. Ideally include +a proof-of-concept script that reproduces the issue and provides a clear +indication of whether the vulnerability is still present. Reports must be +plain-text only, including attachments. No PDFs, binaries, notebooks, or other +files that cannot be safely reviewed. If your proof-of-concept depends on a +specially constructed binary file, please include a script to construct it +rather than the file itself. Ideally, include a minimal patch with the mitigation +for the report. + +Reports that do not contain a potential security vulnerability (such as spam or +requesting compliance or due-diligence work) will be discarded without a reply. + ## Threat Model Our threat model for the Python install manager makes the following assumptions: