From a3baa0f17298f74d8016add5f4fc63b26d53fdc5 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Thu, 4 Jun 2026 12:04:26 +0100 Subject: [PATCH 1/3] Clarify the role PSRT has in handling vulnerability reports for unsupported platforms --- security/policy.rst | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/security/policy.rst b/security/policy.rst index e9b145220..2e97f5822 100644 --- a/security/policy.rst +++ b/security/policy.rst @@ -78,12 +78,14 @@ are not treated as vulnerabilities in Python. As per the :pep:`Unsupported Platforms section of PEP 11 <11#unsupported-platforms>`, porting Python to an unsupported platform is treated as a third-party project. -If you choose to report such a vulnerability to Python, please follow the -requirements of this guide. Note that these reports may be shared with -parties who expressed interested in the relevant platforms and will -generally be handled according to the relevant maintainers' security -policies. These reports may closed if the maintainers are unknown or -unresponsive. +For these reports, the PSRT treats them as vulnerability reports for a third-party +port, but not as Python vulnerabilities. +If you choose to report such an issue to Python, please follow the requirements +of this guide and include the relevant platform and maintainer context. +The PSRT forwards these reports to platform maintainers (or other interested +parties) and they are usually handled under the relevant maintainers’ security +policies. These reports will be closed without further action if the maintainers +are unknown or unresponsive. What to include and how to structure a vulnerability report? ------------------------------------------------------------ From e86bd4e208af0cdeb1cb20d319428dce62e5b4f2 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Thu, 4 Jun 2026 12:07:57 +0100 Subject: [PATCH 2/3] Slightly less strict --- security/policy.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/security/policy.rst b/security/policy.rst index 2e97f5822..b6d6ff31b 100644 --- a/security/policy.rst +++ b/security/policy.rst @@ -83,9 +83,8 @@ port, but not as Python vulnerabilities. If you choose to report such an issue to Python, please follow the requirements of this guide and include the relevant platform and maintainer context. The PSRT forwards these reports to platform maintainers (or other interested -parties) and they are usually handled under the relevant maintainers’ security -policies. These reports will be closed without further action if the maintainers -are unknown or unresponsive. +parties) and they are usually handled under the relevant maintainers' security +policies. These reports will be closed if the maintainers are unknown or unresponsive. What to include and how to structure a vulnerability report? ------------------------------------------------------------ From 8bbb5d4857199dcc94948c7393cc7d84f60d0733 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Thu, 4 Jun 2026 16:46:57 +0100 Subject: [PATCH 3/3] Minor wording adjustments Co-authored-by: Jacob Coffee Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- security/policy.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/policy.rst b/security/policy.rst index b6d6ff31b..06af97c4d 100644 --- a/security/policy.rst +++ b/security/policy.rst @@ -79,8 +79,8 @@ are not treated as vulnerabilities in Python. As per the :pep:`Unsupported Platforms section of PEP 11 <11#unsupported-platforms>`, porting Python to an unsupported platform is treated as a third-party project. For these reports, the PSRT treats them as vulnerability reports for a third-party -port, but not as Python vulnerabilities. -If you choose to report such an issue to Python, please follow the requirements +port, not as Python vulnerabilities. +If you choose to report such an issue to Python, follow the requirements of this guide and include the relevant platform and maintainer context. The PSRT forwards these reports to platform maintainers (or other interested parties) and they are usually handled under the relevant maintainers' security