Skip to content

Commit 2d403e1

Browse files
sethmlarsonsethmlarson
committed
Address more review comments
1 parent 39e11fd commit 2d403e1

1 file changed

Lines changed: 7 additions & 5 deletions

File tree

security/policy.rst

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,8 @@ modifications to files on the target system. We assume that, at the time Python
3737
is executed, the environment is as intended by the legitimate user, and any
3838
malicious variation from this cannot be mitigated by Python itself.
3939

40-
Vulnerabilities that affect availability (such as DoS or ReDoS) must be
40+
Vulnerabilities that affect availability (such as DoS, ReDoS, crashes,
41+
dead-locks, and resource exhaustion) must be
4142
triggerable with data inputs that are reasonably sized for the use-case.
4243
Availability vulnerabilities must also demonstrate an "upward" change in posture
4344
for the attacker, rather than a "lateral" one.
@@ -87,9 +88,8 @@ be formatted correctly:
8788
``1`` if vulnerable and ``0`` if not vulnerable).
8889
* When reporting large numbers or "batches" of vulnerabilities or
8990
searching for potential vulnerabilities using an LLM, you as a reporter must
90-
verify the validity of all reports prior to submission to the PSRT.
91-
PSRT members WILL NOT spend time confirming the validity of reports, only
92-
whether a valid bug report is a vulnerability or not.
91+
verify the factual validity (such as whether APIs have been hallucinated)
92+
of the content in all reports prior to submission to the PSRT.
9393
* Do not include severity or CVSS information in your initial report,
9494
this information will be determined by the PSRT.
9595
* Ideally, include a minimal patch with the mitigation for the report.
@@ -99,6 +99,8 @@ be formatted correctly:
9999
No PDFs, binaries, notebooks, or other files that cannot be safely reviewed.
100100
If your proof-of-concept depends on a specially constructed binary file,
101101
please include a script to construct it rather than the file itself.
102+
* Proof-of-concept scripts longer than a few lines should be wrapped
103+
with ``<detail></detail>`` for better readability.
102104
* Reports that do not contain a potential security vulnerability (such as spam
103105
or requesting compliance or due-diligence work)
104106
will be discarded without a reply.
@@ -119,7 +121,7 @@ Here's what to expect for how a vulnerability report will be handled:
119121
* If the PSRT determines the report isn't a vulnerability, the issue
120122
can be opened in the public issue tracker.
121123
* If the PSRT determines the report is a vulnerability, the PSRT will
122-
accept your report and a CVE ID will be assigned by the PSF CNA.
124+
accept the report and a CVE ID will be assigned by the PSF CNA.
123125
* Once a public pull request containing a fix is merged to CPython,
124126
the advisory and CVE record will be published with attribution.
125127

0 commit comments

Comments
 (0)