Skip to content

Commit 83b83f4

Browse files
Seth's suggestion (- "arbitrary")
Co-authored-by: Seth Larson <seth@python.org>
1 parent 90d59bd commit 83b83f4

1 file changed

Lines changed: 3 additions & 4 deletions

File tree

security/policy.rst

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -44,10 +44,9 @@ dead-locks, and resource exhaustion) must be
4444
triggerable with data inputs that are reasonably sized for the use case.
4545
Availability vulnerabilities must also demonstrate an "upward" change in posture
4646
for the attacker, rather than a "lateral" one.
47-
Unexpected Python exceptions are not vulnerabilities by themselves unless they
48-
satisfy the availability criteria above.
49-
This is to avoid handling performance and correctness improvements as security
50-
vulnerabilities.
47+
This is to avoid handling performance improvements as security vulnerabilities.
48+
Exceptions are an expected part of control flow when processing inputs,
49+
therefore crashes resulting from unhandled exceptions are not security vulnerabilities.
5150

5251
Vulnerabilities in dependencies of Python (such as zlib, Tcl/Tk, or OpenSSL)
5352
are not vulnerabilities in Python unless Python's use of the dependency

0 commit comments

Comments
 (0)