From 5136a192a3e00129d364d1a43190caf1d2b22a77 Mon Sep 17 00:00:00 2001 From: Bruno Oliveira Date: Wed, 3 Jun 2026 14:10:47 -0300 Subject: [PATCH] Report security vulnerabilities using GitHub Direct users to report security vulnerabilities using GitHub's security advisory. This was one of the options suggested by Tidelift's support during an email exchange about a new vulnerability, which seems like a good idea as is easier for users and directly integrated into our workflow. --- .github/ISSUE_TEMPLATE/3_security_vulnerability.md | 8 ++++++++ README.rst | 4 +--- SECURITY.md | 3 +++ doc/en/index.rst | 4 +--- 4 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/3_security_vulnerability.md create mode 100644 SECURITY.md diff --git a/.github/ISSUE_TEMPLATE/3_security_vulnerability.md b/.github/ISSUE_TEMPLATE/3_security_vulnerability.md new file mode 100644 index 00000000000..b864011a1c4 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/3_security_vulnerability.md @@ -0,0 +1,8 @@ +--- +name: Security Vulnerability +about: Report security vulnerabilities +--- + +**Do not submit security vulnerabilities as issues**. + +Create a [new Security Advisory](https://github.com/pytest-dev/pytest/security/advisories/new) instead. diff --git a/README.rst b/README.rst index 3bc5f06fc81..253db05370e 100644 --- a/README.rst +++ b/README.rst @@ -149,9 +149,7 @@ Save time, reduce risk, and improve code health, while paying the maintainers of Security ^^^^^^^^ -pytest has never been associated with a security vulnerability, but in any case, to report a -security vulnerability please use the `Tidelift security contact `_. -Tidelift will coordinate the fix and disclosure. +If you have found an issue that you believe is a security vulnerability, please do not create an issue -- instead, report it via a `new security advisory `__. License diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..637f4f51122 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,3 @@ +Security vulnerabilities in pytest are rare, given it is a testing framework used for development, not used in production. + +However, if you find an issue that you believe is a security risk, please report a [new Security Advisory](https://github.com/pytest-dev/pytest/security/advisories/new). diff --git a/doc/en/index.rst b/doc/en/index.rst index 29d270084e9..5ce8bf0e8e4 100644 --- a/doc/en/index.rst +++ b/doc/en/index.rst @@ -151,6 +151,4 @@ Save time, reduce risk, and improve code health, while paying the maintainers of Security ~~~~~~~~ -pytest has never been associated with a security vulnerability, but in any case, to report a -security vulnerability please use the `Tidelift security contact `_. -Tidelift will coordinate the fix and disclosure. +If you have found an issue that you believe is a security vulnerability, please do not create an issue -- instead, report it via a `new security advisory `__.