- Python>>>
- Report a Security Issue
Python Security
Reporting security issues with PyPI or a project hosted on PyPI
See the security issue information for pypi.orghere.
Reporting security issues
The Python Software Foundation and the Python developer community takesecurity vulnerabilities very seriously. A Python Security Response Team (PSRT) hasbeen formed that does triage on all reported vulnerabilities and works to resolve them. To reach the response team, send email tosecurity at python dot org. Only the response team members will see youremail, and it will be treated confidentially.
The PSRT mailing list is tightly controlled, so you can have confidence thatyour security issue will only be read by a highly trusted cabal of Pythondevelopers. If for some reason you wish to further encrypt your message to this mailing list(for example, if your mail system does not use TLS),you can use our sharedOpenPGP key which is also available on the publickeyservers.
The PSRT accepts security reports for the following projects:
- CPython versions (supported and end-of-life) available athttps://python.org/downloads
- pip versions available athttps://pypi.org/project/pip
The PSRT does not accept reports for third-party redistributions of Python or pip.Those reports should be directed towards their corresponding distribution security contact.
Vulnerability handling
The following is an overview of the vulnerability handling process from reporting to disclosure:
- The reporter reports the vulnerability privately to the PSRT.
- If the PSRT determines the report isn't a vulnerability, the issue can be opened in a public issue tracker if applicable.
- If the report constitutes a vulnerability, the PSRT will work privately with the reporter to resolve the vulnerability.
- The project creates a new release to deliver the fix.
- The project publicly announces the vulnerability and describes how to apply the fixvia an advisory. At this point the vulnerability can be discussed publicly by the reporter and team.
Bug bounties
While we sincerely appreciate and encourage reports of suspected security problems in supported Python releases and the PSF web infrastructure, please note that the Python Software Foundation does not run any bug bounty programs. We are a nonprofit organization, depending on donation and support from the community.
Published advisories and mailing list
Security advisories are published to multiple public locations. Advisories are sent via email to thesecurity-announce@python.org mailing list. Subscribe to the mailing list if you'd like to be updatedon newly published security advisories. The mailing list has apublic archive including all historical advisories sent to the list.
There is also anadvisory database published to GitHub using theOpen Source Vulnerability (OSV) format which can be consumedusing automated tooling.
CVE Numbering Authority (CNA) contact
If you need to contact the Python Software Foundation CNA directly, such as for updating or disputing a CVE record,you can send an email tocna at python dot org. Be sure that the CVE record in question wasissued by the PSF CNA and not a different CNA.
OpenGPG Key
Key fingerprint:
pub 2048R/D067453C 2010-09-08 Key fingerprint = F314 452F E3F9 BF87 0435 7732 D273 E0FF D067 453Cuid Python Security Response Team <security@python.org>sub 2048R/0953421B 2010-09-08
Key data:
-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.4.10 (GNU/Linux)mQENBEyH8KIBCADLe9mczGnhhLFBbxWDgxHzzr/eExGuVQb+VYsa0WDZG4z/y+KxKsZ8da/adKaiig2soQJiZtYb6w1JDtugwy8+ySDY8ECAB7qdGK6gB17P1UFsI93dIAe25DdEybbi0sMPbw0Q5Ka+ihI1ZnPifyG0oLK901QfTutOYAk42J7V/p6fHzK+pCeOri+aSGlWxVtC03iPNIiL5InfKPCEvZ5ih8/98hCqccp6teDaGxhnab+5GYZqwDknmK230r5UWd/VlGSiC4DJCuE+GY1r1DXx+E/ANjeMZOXQ4kBMxp8aFz7k1vFXMbqv+TWD+BZzgu6Fa4KCgWW7Jn1syKpwA7ahABEBAAG0M1B5dGhvbiBTZWN1cml0eSBSZXNwb25zZSBUZWFtIDxzZWN1cml0eUBweXRob24ub3JnPokBOAQTAQIAIgUCTIfwogIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ0nPg/9BnRTwRowf+IN0rG5Gj/quhfhS0CyqoYYu3H9I8WDSw9I7GjVQY0KZAbYEmNbZ/Kmwa59opXoIGKfo2KEDVwADf17vpdIER9bcpFF0fPFnAGI1XWQKkZX8uckB4TkEQvxZpLjD14XX8eFMXwLBc3IGMYRJUIgEC5C2/TkaCc5qgTw0P8tCd7JNgey+Ogf1KE0ks34MKsXD4xV4WS2Kfu2HjoAURhqQHr3Ug5kFKIHAeKY7EAVUvGp6r4uMCsAWKKUWUZfYSpH7+UAWOtxEbDpDt5IrmOI2V60X3qGaNMxF+wQc/MpM+L1BN4bdf6dlB3u6gHkixdoMlYh6/T7NZMZ3HKV3RC5hf6IkCHAQQAQgABgUCTIf47gAKCRASbrVjp0sGv5+9D/wIaR0a/S5lin5FfNUCLL528+aJlV0XHMrugPrwB8jOdM3367ORgHxx3qHcgLJuoBRnzQ1v1SaqvN4TvQ1tDtS5+lsCSBjCpzMQxcZY6VMm59ulZ80PHsOqYVj5ev8KHq/hpDAHSCvnE52MUKNm33+SJ2q6KLGs0hb3HL2RBEX9f9+3XCLdOlbETPiQIipN2jx3QFhcIZTAlVOY7R3ENrFNx8pmK5Dpsu7vchPEDl4ssfnQom9mTU5en9Ix7UDSTNLCXmMxvaoafRYgBH9rzXJgHvHO/37uE/2PstTF0h40Vl0UoNSqr2aKN1fR0DJgr4A4aiOyaHCXvPanVuNcW4FJYiO9QlYQfZvjvGtazqRSc+WzuKDYfKYpRgcYsSAUz1DI0voJ/oaaQ8XcTeW5l8P6AlFfYCJ/yqKOL4lQ5qM64So4MuQyplos/LvqKTt9MYPt2MjEwa7n5++YWKIYMywb2A7KXymav6yf+kMLRpymQweH5f8ZHoR1mSs4Ac5HpZ1MCOtGrHRY6iWw/5SLkm+INm6jqo1bU0Vzm/2ju4omie68jVkv9byoGcrty9xookfA+fHCVx8LV4hBFWcCKmH7NFWY8Iq3UgrbpHYal4vuOJlmEMZayHRJ4dtEZTD/kGulgQL/xmVVGLtNGCvodmcx5VU8QAUBr0p0dWX79yVlCLkBDQRMh/CiAQgAsWKEEJTnD+pf0zZc1bt0fHNLEk36G+aHMK77LzhPpeAOCm3296vjjoKy99OAKuyKMVFY59nKzZ3lXvP89yuxgJwWJM7uf0iZ0njo1DPxyZ1jldPiZEiXhShwDNAQR3EkP8IvilsV3BKcWO/E6wCiMLQFpWDlPdTw7v3LwGnDNk6AmU6Jiy0tbraNyq7USIu+80yUcJ/KHYXPgx0ZEZIWhQKonekN+AhpJaSOUPVeYdxMwj3ZSHOTfzORXVnjbscPnfStz5F6fVnikDnSZYgOauaJCEwqVEpdxM9O7wuRsZf4UGN13wMMbRnEDnmt2VBsNK2NNqvQUcimMcbO9y2V5wARAQABiQEfBBgBAgAJBQJMh/CiAhsMAAoJENJz4P/QZ0U8KaMIAIukbpQFcoVVzA/DbQhkCYkCdYYWXacC71xoq45mnM/gSDMGBaitZIX/ngvDLH7I7tf+fOcIo0w+mPBuGQZfGHyYZ2Qv1DHgdYJC4U8ccftnzv6GxYxiwB6elVFgOrS88B5Y9GdUDzjO8ZF3zzdq0Hy4AN/cn+ybkDWDxwLncdM9FX39cHnEEmZE+u9qaacKr/uhVveqbNOH9N6iwrp0Oc0D6Ktq9uU+sGC+6XBRhZlUT0yExyxEG1abpIIC1KbytQvO+Ejsx6fV55784qypqDyp7dtPHWCXD7mwI3zneYZbnV0nZvznBhNE4DqHuqvI8C7KT7DjqaL3FVHdMtyrcPk==Z6PM-----END PGP PUBLIC KEY BLOCK-----