From 37d9801ae00fc5eaacacb0e9f066c8e4165632cd Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 30 Jun 2026 14:07:30 +0200 Subject: [PATCH] Security policy: exceptions are not crashes --- security/policy.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/security/policy.rst b/security/policy.rst index d49f4dedb..14e6bf065 100644 --- a/security/policy.rst +++ b/security/policy.rst @@ -45,8 +45,10 @@ triggerable with data inputs that are reasonably sized for the use case. Availability vulnerabilities must also demonstrate an "upward" change in posture for the attacker, rather than a "lateral" one. This is to avoid handling performance improvements as security vulnerabilities. -Exceptions are an expected part of control flow when processing inputs, -therefore crashes resulting from unhandled exceptions are not security vulnerabilities. + +Exceptions are an expected part of control flow when processing inputs. +Unhandled exceptions are not considered crashes and are not, by themselves, +security vulnerabilities. Vulnerabilities in dependencies of Python (such as zlib, Tcl/Tk, or OpenSSL) are not vulnerabilities in Python unless Python's use of the dependency