Add SECURITY policy

astral-sh · Jan 28, 2025 · b9d6b14 · b9d6b14
1 parent 0ae3fce
commit b9d6b14
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security policy
+
+## Scope of security vulnerabilities
+
+uv is a Python package manager. Due to the design of the Python and its packaging ecosystem, there
+are many cases where uv can execute arbitrary code. For example:
+
+- uv invokes Python interpreters on the system to retrieve metadata
+- uv builds source distributions as described by PEP 517
+- uv may build packages from the requested package indexes
+
+These are not considered vulnerabilities in uv. If you think uv's stance in these areas can be
+hardened, please file an issue for a new feature.
+
+## Reporting a vulnerability
+
+If you have found a possible vulnerability that is not excluded by the above
+[scope](#scope-of-security-vulnerabilities), please email `security at astral dot sh`.
+
+## Bug bounties
+
+While we sincerely appreciate and encourage reports of suspected security problems, please note that
+Astral does not currently run any bug bounty programs.