-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SECURITY policy #11035
Merged
Add SECURITY policy #11035
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Security policy | ||
|
|
||
| ## Scope of security vulnerabilities | ||
|
|
||
| uv is a Python package manager. Due to the design of the Python packaging ecosystem and the dynamic | ||
| nature of Python itself, there are many cases where uv can execute arbitrary code. For example: | ||
|
|
||
| - uv invokes Python interpreters on the system to retrieve metadata | ||
| - uv builds source distributions as described by PEP 517 | ||
| - uv may build packages from the requested package indexes | ||
|
|
||
| These are not considered vulnerabilities in uv. If you think uv's stance in these areas can be | ||
| hardened, please file an issue for a new feature. | ||
|
|
||
| ## Reporting a vulnerability | ||
|
|
||
| If you have found a possible vulnerability that is not excluded by the above | ||
| [scope](#scope-of-security-vulnerabilities), please email `security at astral dot sh`. | ||
|
|
||
| ## Bug bounties | ||
|
|
||
| While we sincerely appreciate and encourage reports of suspected security problems, please note that | ||
| Astral does not currently run any bug bounty programs. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sure I'm missing things here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could perhaps just mention things like
no-build?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking about that but wasn't sure how to do so without being verbose.. let me see what I can do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sort of belongs in a "Hardening" document rather than the security policy document?
Maybe once that exists we can just link there?