From 321f8ccf45ac2f055e4483c3080c041f7f202e5f Mon Sep 17 00:00:00 2001
From: Zanie Blue <contact@zanie.dev>
Date: Tue, 28 Jan 2025 14:06:53 -0600
Subject: [PATCH] Add SECURITY policy (#11035)

Closes https://github.com/astral-sh/uv/issues/11020
---
 SECURITY.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..b6cd79cf9
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security policy
+
+## Scope of security vulnerabilities
+
+uv is a Python package manager. Due to the design of the Python packaging ecosystem and the dynamic
+nature of Python itself, there are many cases where uv can execute arbitrary code. For example:
+
+- uv invokes Python interpreters on the system to retrieve metadata
+- uv builds source distributions as described by PEP 517
+- uv may build packages from the requested package indexes
+
+These are not considered vulnerabilities in uv. If you think uv's stance in these areas can be
+hardened, please file an issue for a new feature.
+
+## Reporting a vulnerability
+
+If you have found a possible vulnerability that is not excluded by the above
+[scope](#scope-of-security-vulnerabilities), please email `security at astral dot sh`.
+
+## Bug bounties
+
+While we sincerely appreciate and encourage reports of suspected security problems, please note that
+Astral does not currently run any bug bounty programs.