Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,30 @@
# Security Policy

Python Security Response Team (PSRT) members balance security work against many
other responsibilities. Please be thoughtful about the time and attention your
report requires. Repeated failure to respect this will result in future reports
being rejected, or the reporter being banned from the `python` GitHub organization,
regardless of technical merit.

## Reporting a Vulnerability

Please use [GitHub Security Advisories](https://github.com/python/pymanager/security/advisories) to report potential issues to this project.

Alternatively, follow [the main security page](https://www.python.org/dev/security/) for alternate ways to report,
bearing in mind that eventually we will create a report using GHSA if needed.

Reports should be a few sentences describing the vulnerability. Ideally include
a proof-of-concept script that reproduces the issue and provides a clear
indication of whether the vulnerability is still present. Reports must be
plain-text only, including attachments. No PDFs, binaries, notebooks, or other
files that cannot be safely reviewed. If your proof-of-concept depends on a
specially constructed binary file, please include a script to construct it
rather than the file itself. Ideally, include a minimal patch with the mitigation
for the report.

Reports that do not contain a potential security vulnerability (such as spam or
requesting compliance or due-diligence work) will be discarded without a reply.

## Threat Model

Our threat model for the Python install manager makes the following assumptions:
Expand Down