diff --git a/.github/ISSUE_TEMPLATE/3_security_vulnerability.md b/.github/ISSUE_TEMPLATE/3_security_vulnerability.md new file mode 100644 index 00000000000..b864011a1c4 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/3_security_vulnerability.md @@ -0,0 +1,8 @@ +--- +name: Security Vulnerability +about: Report security vulnerabilities +--- + +**Do not submit security vulnerabilities as issues**. + +Create a [new Security Advisory](https://github.com/pytest-dev/pytest/security/advisories/new) instead. diff --git a/README.rst b/README.rst index 3bc5f06fc81..253db05370e 100644 --- a/README.rst +++ b/README.rst @@ -149,9 +149,7 @@ Save time, reduce risk, and improve code health, while paying the maintainers of Security ^^^^^^^^ -pytest has never been associated with a security vulnerability, but in any case, to report a -security vulnerability please use the `Tidelift security contact `_. -Tidelift will coordinate the fix and disclosure. +If you have found an issue that you believe is a security vulnerability, please do not create an issue -- instead, report it via a `new security advisory `__. License diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..637f4f51122 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,3 @@ +Security vulnerabilities in pytest are rare, given it is a testing framework used for development, not used in production. + +However, if you find an issue that you believe is a security risk, please report a [new Security Advisory](https://github.com/pytest-dev/pytest/security/advisories/new). diff --git a/doc/en/index.rst b/doc/en/index.rst index 29d270084e9..5ce8bf0e8e4 100644 --- a/doc/en/index.rst +++ b/doc/en/index.rst @@ -151,6 +151,4 @@ Save time, reduce risk, and improve code health, while paying the maintainers of Security ~~~~~~~~ -pytest has never been associated with a security vulnerability, but in any case, to report a -security vulnerability please use the `Tidelift security contact `_. -Tidelift will coordinate the fix and disclosure. +If you have found an issue that you believe is a security vulnerability, please do not create an issue -- instead, report it via a `new security advisory `__.