From 5043dd53f73354e361145ac235836ab9e61f3e90 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Wed, 8 Jul 2026 11:47:59 +0200 Subject: [PATCH] Add a `SECURITY.md` with reporting guidelines --- .github/SECURITY.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..7dbf18bb --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,23 @@ +# Security Policy + +Python Security Response Team (PSRT) members balance security work against many +other responsibilities. Please be thoughtful about the time and attention your +report requires. Repeated failure to respect this will result in future reports +being rejected, or the reporter being banned from the `python` GitHub organization, +regardless of technical merit. + +## Reporting a Vulnerability + +Submit a vulnerability report using GitHub Security Advisories. + +Reports should be a few sentences describing the vulnerability. Ideally include +a proof-of-concept script that reproduces the issue and provides a clear +indication of whether the vulnerability is still present. Reports must be +plain-text only, including attachments. No PDFs, binaries, notebooks, or other +files that cannot be safely reviewed. If your proof-of-concept depends on a +specially constructed binary file, please include a script to construct it +rather than the file itself. Ideally, include a minimal patch with the mitigation +for the report. + +Reports that do not contain a potential security vulnerability (such as spam or +requesting compliance or due-diligence work) will be discarded without a reply.