From 7434dcf54701931fb72926a905d5a1ef66f9e32d Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 18 Mar 2026 13:16:33 -0500 Subject: [PATCH 1/4] Expand and document PSRT coordination process --- _static/psrt-coordinator-report.svg | 2 + _static/psrt-coordinator-triage.svg | 2 + developer-workflow/psrt.rst | 270 +++++++++++++++++----------- 3 files changed, 170 insertions(+), 104 deletions(-) create mode 100644 _static/psrt-coordinator-report.svg create mode 100644 _static/psrt-coordinator-triage.svg diff --git a/_static/psrt-coordinator-report.svg b/_static/psrt-coordinator-report.svg new file mode 100644 index 000000000..4e84c27d7 --- /dev/null +++ b/_static/psrt-coordinator-report.svg @@ -0,0 +1,2 @@ + +

Received a report...

... via security@python.org?

... via GHSA?

PSRT admin reviews email

Reject

Approve

PSRT asks reporter to open via GHSA

GHSA in state 'Triage'

 diff --git a/_static/psrt-coordinator-triage.svg b/_static/psrt-coordinator-triage.svg new file mode 100644 index 000000000..3e49ea805 --- /dev/null +++ b/_static/psrt-coordinator-triage.svg @@ -0,0 +1,2 @@ + +

GHSA in state 'Triage'

PSRT member volunteers as Coordinator

After 3 days idle Coordinator is auto-assigned

Coordinator determines whether the report...

...is a non-issue or invalid

...is a bug, but not security relevant

...is a security issue

Close the GHSA ticket

Coordinator opens a public GitHub issue

Move GHSA to state 'Draft'

 diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index 543e09358..7dc238923 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -56,7 +56,7 @@ Below are the responsibilities of PSRT members: necessary to make a determination whether a report is a vulnerability and developing a patch. Coordinators are encouraged to involve members of the core team to make the best decision for each report rather than working in isolation. -* As a Coordinator, calculating the severity using CVSS and authoring advisories +* As a Coordinator, calculating the severity using CVSSv4 and authoring advisories to be shared on `security-announce@python.org`_. These advisories are used for CVE records by the `PSF CVE Numbering Authority`_. * Coordinators that can no longer move a report forwards for any reason must @@ -80,94 +80,176 @@ following additional responsibilities: * Running nomination elections, including counting final votes and giving the Steering Council an opportunity to veto nominations via email. -Vulnerability report triage ---------------------------- +Triaging a vulnerability report +------------------------------- + +PSRT members coordinate reports from when they are first submitted +to a "finished" state. Finished states include +marking a report as a "non-issue", opening a public issue on GitHub, +or a merged patch with an accompanying CVE and advisory to +``security-announce@python.org``. Reports should reach a finished +state within 90 days of being received by the PSRT. -Vulnerability reports are sent to one of two locations, -the long-standing ``security@python.org`` mailing list -or using the private vulnerability reporting feature -of GitHub Security Advisories (GHSA). +Reports enter the system through ``security@python.org`` or +on a project GitHub Security Advisory (GHSA) ticketing system. +For projects that use GHSA, reports to ``security@python.org`` +should have reporters `re-open their report using GHSA`_. + +.. raw:: html + :file: ../_static/psrt-coordinator-report.svg + +.. _re-open their report using GHSA: #submit-using-github-security-advisories + +New report in GitHub Security Advisories (GHSA) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Once a report is in GHSA, a "Coordinator" must be assigned +to be responsible for moving the report through the process. +The "Coordinator" role is assigned using a "Credit" in a GHSA ticket +(Select 'Edit' > 'Credit' > Add GitHub username and the role 'Coordinator'). -For reports sent to ``security@python.org``, a PSRT admin -will triage the report and if the report seems plausible -(that is, not spam and for the correct project) will reply with -instructions on how to report the vulnerability on GitHub. +If a GHSA ticket is idle for 3 days without a coordinator +assigned a non-"Release Manager" / "Steering Council" +PSRT member will be automatically assigned as coordinator by the PSRT bot. +If a coordinator can't complete the process +they must find a replacement coordinator in the PSR +and re-assign the GHSA ticket. -If the reporter doesn't want to use GitHub's Security Advisories feature -then the PSRT admins can create a draft report on behalf of the reporter. +Determining whether a report is a vulnerability +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Coordinating a vulnerability report ------------------------------------ +.. raw:: html + :file: ../_static/psrt-coordinator-triage.svg -Each report will have a member of the PSRT assigned as the "coordinator". -The coordinator will be responsible for following the below process and -will be publicly credited on vulnerability records post-publication. +The coordinator will make a determination about a report, either +marking the ticket as a non-issue, as an issue that isn't a security +vulnerability, or as a security vulnerability. If the Coordinator needs +help from core team member experts in making the determination, the +experts may be added as 'Collaborators' to the GHSA ticket. +Accepted security vulnerabilities will be moved to the 'Draft' state in GHSA. + +If the report isn't a vulnerability, coordinators close the GHSA ticket +after optionally opening a public GitHub issue. Note that reporters often +will not open a GitHub issue on their own, as there is no longer an incentive +for them to do so without a CVE being assigned. -If a coordinator can't complete the process for any reason (time obligation, -vacation, etc.) they must find a replacement coordinator in the PSRT -and reassign the vulnerability report appropriately. +Remediating a vulnerability report +---------------------------------- + +Once a report has been accepted as a vulnerability, the remediation +development process begins. Coordinators move the GHSA ticket to a 'Draft' +state using the green 'Accept as Draft' button. Once in this state, +the PSRT bot will automatically assign a CVE ID from the Python Software +Foundation CVE Numbering Authority. + +Once a vulnerability has been accepted there are three things +the Coordinator must prepare before sending an advisory and +closing the GHSA ticket: + +* Severity calculated using CVSSv4. +* Pull request containing the fix merged with a public GitHub issue. +* Advisory title and short description of the vulnerability. + +Severity scoring +~~~~~~~~~~~~~~~~ + +Severity of a vulnerability can be difficult to assess +objectively due to not knowing how software is used +in all situations. Severity is calculated from expected +or known use, not from worst-case hypothetical scenarios. + +The PSRT and PSF CNA use `CVSSv4`_ for calculating +the severity of a vulnerability. GHSA tickets provide a +CVSSv4 calculator within the ticket UI. Note that GitHub defaults to CVSSv3, +change the scoring algorithm to CVSSv4 before scoring in the ticket UI. +As with all aspects of PSRT operations, coordinators are encouraged to ask +for help in calculating a severity from other PSRT members. + +.. _CVSSv4: https://www.first.org/cvss/v4.0/ + +Developing a patch privately +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Patch development can initially be done privately by selecting the +'Start a temporary private fork' button within the GHSA ticket. Note that +due to the size of git repositories, this fork repository may +take several minutes to create. Once the fork has been created any PSRT member +or GHSA collaborator can clone the fork and develop a fix and push a branch: + +.. code-block:: shell + + git clone https://github.com/python/cpython-ghsa-abcd-efgh-ijkl.git + cd cpython-ghsa-abcd-efgh-ijkl + git checkout -b advisory-fix-1 + + # (develop a fix) + + git add ... + git commit -m "Fix" + git push origin advisory-fix-1 + +From here a pull request can be opened within the GHSA ticket +to be reviewed privately. The coordinator can add core team experts +to help with review if reviewers aren't available within PSRT. +Once the patch has been approved +a public GitHub issue and pull request can be opened. +Generate a blurb in the category ``Security`` for the public pull request. +Public issues and pull requests for security fixes should use the +``type-security`` label. -Coordinators are expected to collaborate with other PSRT and core team members -when needed for guidance on whether the report is an actual vulnerability, -severity, advisory text, and fixes. +To quickly pull a patch file from a GHSA pull request, you +can append ``.patch`` to the pull request URL, like so: + +.. code-block:: shell + + curl https://github.com/python/cpython-ghsa-abcd-efgh-ijkl/pull/1.patch \ + --output ghsa-abcd-efgh-ijkl.patch + +This patch can then be applied and pushed to the public GitHub repository: + +.. code-block:: shell + + git remote -v + origin ssh://git@github.com/.../cpython (fetch) + origin ssh://git@github.com/.../cpython (fetch) -**The vulnerability coordination process is:** + git checkout -b branch-name + git apply ./ghsa-abcd-efgh-ijkl.patch + git push origin branch-name -* Coordinator will determine whether the report constitutes a vulnerability. If the report isn't a vulnerability, - the reporter should be notified appropriately. Close the GHSA report, the report can be reopened if - sufficient evidence is later obtained that the report is a vulnerability. +.. warning:: **IMPORTANT:** CPython's backport infrastructure + is used for tracking backported patches. Use **one GitHub issue + per CVE** to accurately track backports of vulnerability fixes. + For new CVEs, even when related to a previous issue, **open a + new GitHub issue** to accurately track fixed versions. + +.. warning:: **IMPORTANT:** Don't select the green 'Merge pull request' + or 'Publish advisory' buttons within GHSA. Advisories are published + to the mailing list, and the 'Merge pull request' button within + GHSA bypasses all continuous integration and branch protection + steps. Use a public pull request instead. -* After a vulnerability report is accepted, a Common Vulnerabilities and Exposures (CVE) ID must be assigned. If this is not done - automatically, then a CVE ID can be obtained by the coordinator sending an email to ``cna@python.org``. - No details about the vulnerability report need to be shared with the PSF CVE Numbering Authority (CNA) for a CVE ID to be reserved. +Publishing an advisory +~~~~~~~~~~~~~~~~~~~~~~ -* If the report is a vulnerability, the coordinator will determine the severity of the vulnerability. Severity is one of: - **Low**, **Medium**, **High**, and **Critical**. Coordinators can use their knowledge of the code, how the code is likely used, - or another mechanism like Common Vulnerability Scoring System (CVSS) for determining a severity. Add this information to the GitHub Security Advisory. +Once the vulnerability fix has been merged in a public GitHub into the ``main`` +branch, an advisory must be published. The advisory requires the severity, +a title, and a short description of the vulnerable module, function(s), +behavior and fix. This short description can optionally include mitigation steps +if applying the patch isn't the only way to mitigate the vulnerability. -* Once a CVE ID is assigned, the coordinator will share the acceptance and CVE ID with the reporter. - Use this CVE ID for referencing the vulnerability. The coordinator will ask the reporter - if the reporter would like to be credited publicly for the report and if so, how they would like to be credited. - Add this information to the GitHub Security Advisory. +* Send an email to the ``security-announce@python.org`` mailing list + using the `advisory template`_, including title, severity, description. +* The advisory email will be received by PSF CVE Numbering Authority + operators and used to publish a CVE record. +* Begin the backporting process for all Python branches still receiving + security updates. Add the ``type-security`` and ``release-blocker`` labels + to each backport pull request so that release managers can find them prior + to releases. -* The coordinator authors the vulnerability advisory text. The advisory must include the following information: +After an advisory email is sent, the GHSA ticket can be closed. - * Title should be a brief description of the vulnerability and affected component - (for example, "Buffer over-read in SSLContext.set_npn_protocols()") - - * Short description of the vulnerability, impact, and the conditions where the affected component is vulnerable, if applicable. - - * Affected versions. This could be "all versions", but if the vulnerability exists in a new feature - or removed feature then this could be different. Include versions that are end-of-life in this calculation - (for example, "Python 3.9 and earlier", "Python 3.10 and later", "all versions of Python"). - - * Affected components and APIs. The module, function, class, or method must be specified so users can - search their codebase for usage. For issues affecting the entire project, this can be omitted. - - * Mitigations for the vulnerability beyond upgrading to a fixed version, if applicable. - - This can all be done within the GitHub Security Advisory UI for easier collaboration between reporter and coordinator. - -* The coordinator determines the fix approach and who will provide a fix. - Some reporters are willing to provide or collaborate to create a fix, - otherwise relevant core team members can be invited to collaborate by - the coordinator. - - * For **Low** and **Medium** severity vulnerabilities it is acceptable - to develop a fix in public. - The pull request must be marked with the ``security`` and ``release-blocker`` - labels so that a release is not created without including the fix. - - * For **High** and **Critical** severity vulnerabilities the fix must be - developed privately using GitHub Security Advisories' "Private Forks" feature. - Core team members can be added to the GitHub Security Advisory via "collaborators" - to work on the fix together. Once a fix is approved privately and tested, - a public issue and pull request can be created with - the ``security`` and ``release-blocker`` labels. - -* Once the pull request is merged the advisory can be published. The coordinator will send the advisory by email - to ``security-announce@python.org`` using the below template. Backport labels must be added as appropriate. - After the advisory is published a CVE record can be created. +.. _advisory template: #advisory-email Handling code signing certificate reports ----------------------------------------- @@ -210,7 +292,8 @@ These template responses should be used as guidance for messaging in various points in the process above. They are not required to be sent as-is, please feel free to adapt them as needed for the current context. -**Directing to GitHub Security Advisories:** +Submit using GitHub Security Advisories +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. highlight:: none @@ -218,16 +301,12 @@ please feel free to adapt them as needed for the current context. Thanks for submitting this report. We use GitHub Security Advisories for triaging vulnerability reports, - are you able to submit your report directly to GitHub? + please submit your report here: https://github.com/python/cpython/security/advisories/new - If you're unable to submit a report to GitHub (due to not having a GitHub - account or something else) let me know and I will create a GitHub Security - Advisory on your behalf, although you won't be able to participate directly - in discussions. - -**Rejecting a vulnerability report:** +Rejecting a vulnerability report +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :: @@ -236,35 +315,18 @@ please feel free to adapt them as needed for the current context. If you are interested in working on this further, you can optionally open a public issue on GitHub. -**Accepting a vulnerability report:** - -:: - - Thanks for your report. We've determined that the report - is a vulnerability. We've assigned {CVE-YYYY-XXXX} and determined - a severity of {Low,Medium,High,Critical}. Let us know if you disagree - with the determined severity. - - If you would like to be publicly credited for this vulnerability as the - reporter, please indicate that, along with how you would like to be - credited (name or organization). - - Please keep this vulnerability report private until we've published - an advisory to ``security-announce@python.org``. - -**Advisory email:** +Advisory email +~~~~~~~~~~~~~~ :: Title: [{CVE-YYYY-XXXX}] {title} - There is a {LOW, MEDIUM, HIGH, CRITICAL} severity vulnerability - affecting {project}. + There is a {LOW, MEDIUM, HIGH, CRITICAL} severity vulnerability affecting {project}. {description} - Please see the linked CVE ID for the latest information on - affected versions: + Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id={CVE-YYYY-XXXX} * {pull request URL} From a4b4daea5fab2d3f8761a3d0580d2c03288b22a8 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Fri, 20 Mar 2026 18:28:50 +0000 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- developer-workflow/psrt.rst | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index 7dc238923..0e2a2e44b 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -108,11 +108,12 @@ to be responsible for moving the report through the process. The "Coordinator" role is assigned using a "Credit" in a GHSA ticket (Select 'Edit' > 'Credit' > Add GitHub username and the role 'Coordinator'). -If a GHSA ticket is idle for 3 days without a coordinator -assigned a non-"Release Manager" / "Steering Council" -PSRT member will be automatically assigned as coordinator by the PSRT bot. +If a GHSA ticket is idle for three days without a coordinator +assigned a PSRT member who is not a Release Manager +or Steering Council member will be automatically assigned +as coordinator by the PSRT bot. If a coordinator can't complete the process -they must find a replacement coordinator in the PSR +they must find a replacement coordinator in the PSRT and re-assign the GHSA ticket. Determining whether a report is a vulnerability @@ -124,7 +125,7 @@ Determining whether a report is a vulnerability The coordinator will make a determination about a report, either marking the ticket as a non-issue, as an issue that isn't a security vulnerability, or as a security vulnerability. If the Coordinator needs -help from core team member experts in making the determination, the +help from core team experts in making the determination, the experts may be added as 'Collaborators' to the GHSA ticket. Accepted security vulnerabilities will be moved to the 'Draft' state in GHSA. @@ -172,7 +173,7 @@ Developing a patch privately Patch development can initially be done privately by selecting the 'Start a temporary private fork' button within the GHSA ticket. Note that -due to the size of git repositories, this fork repository may +due to the size of Git repositories, this fork repository may take several minutes to create. Once the fork has been created any PSRT member or GHSA collaborator can clone the fork and develop a fix and push a branch: @@ -195,7 +196,7 @@ Once the patch has been approved a public GitHub issue and pull request can be opened. Generate a blurb in the category ``Security`` for the public pull request. Public issues and pull requests for security fixes should use the -``type-security`` label. +:gh-label:`type-security` label. To quickly pull a patch file from a GHSA pull request, you can append ``.patch`` to the pull request URL, like so: @@ -232,9 +233,10 @@ This patch can then be applied and pushed to the public GitHub repository: Publishing an advisory ~~~~~~~~~~~~~~~~~~~~~~ -Once the vulnerability fix has been merged in a public GitHub into the ``main`` -branch, an advisory must be published. The advisory requires the severity, -a title, and a short description of the vulnerable module, function(s), +Once the vulnerability fix has been merged into the main branch via a +public GitHub pull request, an advisory must be published. +The advisory requires the severity, +a title, and a short description of the vulnerable module, functions, behavior and fix. This short description can optionally include mitigation steps if applying the patch isn't the only way to mitigate the vulnerability. @@ -243,9 +245,9 @@ if applying the patch isn't the only way to mitigate the vulnerability. * The advisory email will be received by PSF CVE Numbering Authority operators and used to publish a CVE record. * Begin the backporting process for all Python branches still receiving - security updates. Add the ``type-security`` and ``release-blocker`` labels + security updates. Add the :gh-label:`type-security` and :gh-label:`release-blocker` labels to each backport pull request so that release managers can find them prior - to releases. + to releasing. After an advisory email is sent, the GHSA ticket can be closed. From 9b967984fa6aff29d151165fbc08238d7ed931c6 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Fri, 20 Mar 2026 17:07:42 -0500 Subject: [PATCH 3/4] Add 'mermaid' diagram sources, clarify patch development responsibility --- _static/psrt-coordinator-report.html | 3 +++ _static/psrt-coordinator-report.mermaid | 18 ++++++++++++++++++ _static/psrt-coordinator-report.svg | 2 -- _static/psrt-coordinator-triage.html | 3 +++ _static/psrt-coordinator-triage.mermaid | 25 +++++++++++++++++++++++++ _static/psrt-coordinator-triage.svg | 2 -- developer-workflow/psrt.rst | 22 +++++++++++++++++----- 7 files changed, 66 insertions(+), 9 deletions(-) create mode 100644 _static/psrt-coordinator-report.html create mode 100644 _static/psrt-coordinator-report.mermaid delete mode 100644 _static/psrt-coordinator-report.svg create mode 100644 _static/psrt-coordinator-triage.html create mode 100644 _static/psrt-coordinator-triage.mermaid delete mode 100644 _static/psrt-coordinator-triage.svg diff --git a/_static/psrt-coordinator-report.html b/_static/psrt-coordinator-report.html new file mode 100644 index 000000000..29489eed0 --- /dev/null +++ b/_static/psrt-coordinator-report.html @@ -0,0 +1,3 @@ +

+

Received a report...

...via security@python.org?

PSRT admin reviews email

Reject

Accept

PSRT asks reporter to open via GHSA

...via GHSA

GHSA in state “Triage”

 +

\ No newline at end of file diff --git a/_static/psrt-coordinator-report.mermaid b/_static/psrt-coordinator-report.mermaid new file mode 100644 index 000000000..9ad3bae96 --- /dev/null +++ b/_static/psrt-coordinator-report.mermaid @@ -0,0 +1,18 @@ +flowchart TD + report[Received a report...] + via_security_at_python_dot_org[...via security@python.org?] + psrt_admin_review[PSRT admin reviews email] + email_reject[Reject] + email_accept[Accept] + open_via_ghsa[PSRT asks reporter to open via GHSA] + via_ghsa[...via GHSA] + ghsa_triage[GHSA in state “Triage”] + + report-->via_security_at_python_dot_org + via_security_at_python_dot_org-->psrt_admin_review + psrt_admin_review-->email_reject + psrt_admin_review-->email_accept + email_accept-->open_via_ghsa + open_via_ghsa-->ghsa_triage + report-->via_ghsa + via_ghsa----->ghsa_triage diff --git a/_static/psrt-coordinator-report.svg b/_static/psrt-coordinator-report.svg deleted file mode 100644 index 4e84c27d7..000000000 --- a/_static/psrt-coordinator-report.svg +++ /dev/null @@ -1,2 +0,0 @@ - -

Received a report...

... via security@python.org?

... via GHSA?

PSRT admin reviews email

Reject

Approve

PSRT asks reporter to open via GHSA

GHSA in state 'Triage'

 diff --git a/_static/psrt-coordinator-triage.html b/_static/psrt-coordinator-triage.html new file mode 100644 index 000000000..3ffc154e8 --- /dev/null +++ b/_static/psrt-coordinator-triage.html @@ -0,0 +1,3 @@ +

+

GHSA in state “Triage”

PSRT member volunteers as Coordinator

After 3 days idle, Coordinator is auto-assigned

GHSA ticket updated to set Credit for Coordinator

Cooridnator determines whether report...

...is a non-issue or invalid

...is a bug but not security relevant

...is a security issue

Coordinator opens a public GitHub issue

Close the GHSA ticket

Move GHSA ticket to “Draft”

 +

\ No newline at end of file diff --git a/_static/psrt-coordinator-triage.mermaid b/_static/psrt-coordinator-triage.mermaid new file mode 100644 index 000000000..57771cda4 --- /dev/null +++ b/_static/psrt-coordinator-triage.mermaid @@ -0,0 +1,25 @@ +flowchart TD + ghsa_triage[GHSA in state “Triage”] + psrt_member_volunteers[PSRT member volunteers as Coordinator] + psrt_member_assigned[After 3 days idle, Coordinator is auto-assigned] + coordinator_assigned[GHSA ticket updated to set Credit for Coordinator] + coordinator_determines[Cooridnator determines whether report...] + report_is_a_non_issue[...is a non-issue or invalid] + report_is_a_bug_but_not_security[...is a bug but not security relevant] + report_is_a_security_issue[...is a security issue] + coordinator_opens_public_github_issue[Coordinator opens a public GitHub issue] + close_ghsa[Close the GHSA ticket] + ghsa_draft[Move GHSA ticket to “Draft”] + + ghsa_triage-->psrt_member_volunteers + ghsa_triage-->psrt_member_assigned + psrt_member_volunteers-->coordinator_assigned + psrt_member_assigned-->coordinator_assigned + coordinator_assigned-->coordinator_determines + coordinator_determines-->report_is_a_non_issue + coordinator_determines-->report_is_a_bug_but_not_security + coordinator_determines-->report_is_a_security_issue + report_is_a_non_issue--->close_ghsa + report_is_a_bug_but_not_security-->coordinator_opens_public_github_issue + coordinator_opens_public_github_issue-->close_ghsa + report_is_a_security_issue--->ghsa_draft \ No newline at end of file diff --git a/_static/psrt-coordinator-triage.svg b/_static/psrt-coordinator-triage.svg deleted file mode 100644 index 3e49ea805..000000000 --- a/_static/psrt-coordinator-triage.svg +++ /dev/null @@ -1,2 +0,0 @@ - -

GHSA in state 'Triage'

PSRT member volunteers as Coordinator

After 3 days idle Coordinator is auto-assigned

Coordinator determines whether the report...

...is a non-issue or invalid

...is a bug, but not security relevant

...is a security issue

Close the GHSA ticket

Coordinator opens a public GitHub issue

Move GHSA to state 'Draft'

 diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index 0e2a2e44b..dbf51f810 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -96,7 +96,7 @@ For projects that use GHSA, reports to ``security@python.org`` should have reporters `re-open their report using GHSA`_. .. raw:: html - :file: ../_static/psrt-coordinator-report.svg + :file: ../_static/psrt-coordinator-report.html .. _re-open their report using GHSA: #submit-using-github-security-advisories @@ -108,6 +108,13 @@ to be responsible for moving the report through the process. The "Coordinator" role is assigned using a "Credit" in a GHSA ticket (Select 'Edit' > 'Credit' > Add GitHub username and the role 'Coordinator'). +.. warning:: + Assigning the "Coordinator" role to each GHSA ticket is important, + as this metadata records whether a PSRT member is + `"active" according to PEP 811`_ to avoid being removed due to inactivity. + +.. _"active" according to PEP 811: https://peps.python.org/pep-0811/#psrt-membership-policy + If a GHSA ticket is idle for three days without a coordinator assigned a PSRT member who is not a Release Manager or Steering Council member will be automatically assigned @@ -116,12 +123,12 @@ If a coordinator can't complete the process they must find a replacement coordinator in the PSRT and re-assign the GHSA ticket. +.. raw:: html + :file: ../_static/psrt-coordinator-triage.html + Determining whether a report is a vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. raw:: html - :file: ../_static/psrt-coordinator-triage.svg - The coordinator will make a determination about a report, either marking the ticket as a non-issue, as an issue that isn't a security vulnerability, or as a security vulnerability. If the Coordinator needs @@ -191,7 +198,12 @@ or GHSA collaborator can clone the fork and develop a fix and push a branch: From here a pull request can be opened within the GHSA ticket to be reviewed privately. The coordinator can add core team experts -to help with review if reviewers aren't available within PSRT. +as collaborators as necessary to the GHSA to develop the patch and to review +the patch if the expertise for patch development or review +aren't available within PSRT. Coordinators are not necessarily responsible +with developing patches themselves: only with seeing that a patch is +developed in a timely fashion by involving experts as necessary. + Once the patch has been approved a public GitHub issue and pull request can be opened. Generate a blurb in the category ``Security`` for the public pull request. From 7ac288928db752f368e02a45af65a76485d5ff82 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 22:07:59 +0000 Subject: [PATCH 4/4] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- _static/psrt-coordinator-report.html | 2 +- _static/psrt-coordinator-triage.html | 2 +- _static/psrt-coordinator-triage.mermaid | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/_static/psrt-coordinator-report.html b/_static/psrt-coordinator-report.html index 29489eed0..280dd24e7 100644 --- a/_static/psrt-coordinator-report.html +++ b/_static/psrt-coordinator-report.html @@ -1,3 +1,3 @@

Received a report...

...via security@python.org?

PSRT admin reviews email

Reject

Accept

PSRT asks reporter to open via GHSA

...via GHSA

GHSA in state “Triage”

 -

\ No newline at end of file +

diff --git a/_static/psrt-coordinator-triage.html b/_static/psrt-coordinator-triage.html index 3ffc154e8..f10f93835 100644 --- a/_static/psrt-coordinator-triage.html +++ b/_static/psrt-coordinator-triage.html @@ -1,3 +1,3 @@

GHSA in state “Triage”

PSRT member volunteers as Coordinator

After 3 days idle, Coordinator is auto-assigned

GHSA ticket updated to set Credit for Coordinator

Cooridnator determines whether report...

...is a non-issue or invalid

...is a bug but not security relevant

...is a security issue

Coordinator opens a public GitHub issue

Close the GHSA ticket

Move GHSA ticket to “Draft”

 -

\ No newline at end of file +

diff --git a/_static/psrt-coordinator-triage.mermaid b/_static/psrt-coordinator-triage.mermaid index 57771cda4..c43a88c65 100644 --- a/_static/psrt-coordinator-triage.mermaid +++ b/_static/psrt-coordinator-triage.mermaid @@ -22,4 +22,4 @@ flowchart TD report_is_a_non_issue--->close_ghsa report_is_a_bug_but_not_security-->coordinator_opens_public_github_issue coordinator_opens_public_github_issue-->close_ghsa - report_is_a_security_issue--->ghsa_draft \ No newline at end of file + report_is_a_security_issue--->ghsa_draft