diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..7dbf18bb --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,23 @@ +# Security Policy + +Python Security Response Team (PSRT) members balance security work against many +other responsibilities. Please be thoughtful about the time and attention your +report requires. Repeated failure to respect this will result in future reports +being rejected, or the reporter being banned from the `python` GitHub organization, +regardless of technical merit. + +## Reporting a Vulnerability + +Submit a vulnerability report using GitHub Security Advisories. + +Reports should be a few sentences describing the vulnerability. Ideally include +a proof-of-concept script that reproduces the issue and provides a clear +indication of whether the vulnerability is still present. Reports must be +plain-text only, including attachments. No PDFs, binaries, notebooks, or other +files that cannot be safely reviewed. If your proof-of-concept depends on a +specially constructed binary file, please include a script to construct it +rather than the file itself. Ideally, include a minimal patch with the mitigation +for the report. + +Reports that do not contain a potential security vulnerability (such as spam or +requesting compliance or due-diligence work) will be discarded without a reply.