mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-11-30 15:27:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add SECURITY policy (#11035)

Browse source 
Closes https://github.com/astral-sh/uv/issues/11020
This commit is contained in:
Zanie Blue 2025-01-28 14:06:53 -06:00 committed by GitHub
parent fe6126a92b
commit 321f8ccf45
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 23 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

23
SECURITY.md Normal file
View file

@ -0,0 +1,23 @@
# Security policy
## Scope of security vulnerabilities
uv is a Python package manager. Due to the design of the Python packaging ecosystem and the dynamic
nature of Python itself, there are many cases where uv can execute arbitrary code. For example:
- uv invokes Python interpreters on the system to retrieve metadata
- uv builds source distributions as described by PEP 517
- uv may build packages from the requested package indexes
These are not considered vulnerabilities in uv. If you think uv's stance in these areas can be
hardened, please file an issue for a new feature.
## Reporting a vulnerability
If you have found a possible vulnerability that is not excluded by the above
[scope](#scope-of-security-vulnerabilities), please email `security at astral dot sh`.
## Bug bounties
While we sincerely appreciate and encourage reports of suspected security problems, please note that
Astral does not currently run any bug bounty programs.