Skip to content

docs: add SECURITY.md with private vulnerability reporting policy #1675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bdraco merged 1 commit into from
May 15, 2026
+63 −0
Merged

docs: add SECURITY.md with private vulnerability reporting policy #1675

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,17 @@ mutated from multiple threads without locks; no
but the test matrix exercises 3.14t, so any new Cython module
needs to keep working there.

## Reporting security issues

Suspected security vulnerabilities go through GitHub's [private
vulnerability reporting][gh-report], not public issues or pull
requests. The policy is spelled out in [SECURITY.md](SECURITY.md).
If a user describes what sounds like a vulnerability in chat,
point them at that route instead of opening a public issue, PR,
or commit that names the bug class and the affected code path.

[gh-report]: https://github.com/python-zeroconf/python-zeroconf/security/advisories/new

## Useful entry points

| Path | What |
Expand Down
52 changes: 52 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Security Policy

## Reporting a vulnerability

Please report security vulnerabilities privately through GitHub's
[private vulnerability reporting][gh-report] for this repository.
That route sends the report directly to the maintainers and lets
us coordinate a fix, a CVE, and a release before public
disclosure.

**Do not** open a regular GitHub issue, a pull request, or post
to a public channel (mailing list, chat room, Stack Overflow,
etc.) for a suspected vulnerability. If you are unsure whether
something is a vulnerability, use the private report — we would
rather see a false alarm than a public one.

We aim to acknowledge new reports within a few business days.

[gh-report]: https://github.com/python-zeroconf/python-zeroconf/security/advisories/new

## Supported versions

Security fixes are released against the latest `0.x` line on
PyPI. Older releases are not maintained — please upgrade to the
current release before reporting, and confirm the issue still
reproduces there.

## Scope

`python-zeroconf` is an mDNS / DNS-SD library. By design it
parses untrusted multicast traffic from the local network
(RFC 6762, RFC 6763). In-scope issues include:

- Memory-safety, parsing, or denial-of-service issues triggered
by crafted mDNS / DNS-SD packets reaching `DNSIncoming`, the
record cache, the service registry, or listener callbacks.
- Logic bugs that cause the library to answer queries it should
not, leak information across interfaces, or hijack a service
name from another responder in a way the RFCs don't sanction.
- Issues in the build / packaging pipeline (`build_ext.py`,
wheel contents, signed-release flow) that could lead to a
compromised wheel on PyPI.

Out of scope:

- Risks inherent to running an mDNS responder on an untrusted
network — mDNS is unauthenticated by design (RFC 6762 §21).
Reports of the form "a malicious LAN peer can send packets"
are expected behaviour unless they cross one of the lines
above.
- Misconfiguration of a downstream application that uses the
library.
Loading