From db8dee530c2b9c223de076b296dc96119b83ec3f Mon Sep 17 00:00:00 2001 From: wiredfool Date: Fri, 5 Jun 2026 12:02:13 +0100 Subject: [PATCH 1/2] Additional guidelines for security reports --- docs/handbook/security.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/handbook/security.rst b/docs/handbook/security.rst index c13389134ff..f34bb58286e 100644 --- a/docs/handbook/security.rst +++ b/docs/handbook/security.rst @@ -257,3 +257,17 @@ If you cannot use GitHub, use the `Tidelift security contact disclosure. **Do not report sensitive vulnerability information in public.** + +Additionally: + +1. Please ensure that your issue is reproducable in **main**. We only + support the latest version. The one exception -- if your issue is + exploitable in the latest public release, but not in main, and the + pull request does not mention a security implication this may be an + unknown security issue that was inadvertely fixed. +2. Demonstrating a memory overflow is enough. Please do not weaponize + the reproducer to do remote code execution. +3. Please do not report unexpected Python exceptions as a DOS or a + memory safety bug. An issue that raises a Python exception in a + library is unlikely to be considered a security issue. This may or + may not be an ordinary bug depending on the context. From ce62c52e5d516b1432d03671b30f495ac9b82ed0 Mon Sep 17 00:00:00 2001 From: Jeffrey 'Alex' Clark Date: Fri, 5 Jun 2026 09:15:39 -0400 Subject: [PATCH 2/2] Apply suggestion from @radarhere Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com> --- docs/handbook/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/handbook/security.rst b/docs/handbook/security.rst index f34bb58286e..e23abf98866 100644 --- a/docs/handbook/security.rst +++ b/docs/handbook/security.rst @@ -267,7 +267,7 @@ Additionally: unknown security issue that was inadvertely fixed. 2. Demonstrating a memory overflow is enough. Please do not weaponize the reproducer to do remote code execution. -3. Please do not report unexpected Python exceptions as a DOS or a +3. Please do not report unexpected Python exceptions as a DoS or a memory safety bug. An issue that raises a Python exception in a library is unlikely to be considered a security issue. This may or may not be an ordinary bug depending on the context.