Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions security/policy.rst
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,10 @@ triggerable with data inputs that are reasonably sized for the use case.
Availability vulnerabilities must also demonstrate an "upward" change in posture
for the attacker, rather than a "lateral" one.
This is to avoid handling performance improvements as security vulnerabilities.
Exceptions are an expected part of control flow when processing inputs,
therefore crashes resulting from unhandled exceptions are not security vulnerabilities.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@StanFromIreland do you mean keeping it in the previous paragraph?

Suggested change

We can do that, but I think it reads better when it's separate.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm +1 for keeping it together, it goes naturally with "Vulnerabilities that affect availability" but I'll leave it up to you.

Exceptions are an expected part of control flow when processing inputs.
Unhandled exceptions are not considered crashes and are not, by themselves,
security vulnerabilities.

Vulnerabilities in dependencies of Python (such as zlib, Tcl/Tk, or OpenSSL)
are not vulnerabilities in Python unless Python's use of the dependency
Expand Down
Loading