From d419c6656e5b8b308deb5a8137081d16514d4de6 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Thu, 4 Jun 2026 17:23:40 +0100 Subject: [PATCH 1/3] Add note on unexpected exceptions to secuirty policy --- security/policy.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/policy.rst b/security/policy.rst index e79845121..880fc2eb4 100644 --- a/security/policy.rst +++ b/security/policy.rst @@ -44,6 +44,8 @@ dead-locks, and resource exhaustion) must be triggerable with data inputs that are reasonably sized for the use case. Availability vulnerabilities must also demonstrate an "upward" change in posture for the attacker, rather than a "lateral" one. +Unexpected Python exceptions are not vulnerabilities by themselves unless they +satisfy the availability criteria above. This is to avoid handling performance improvements as security vulnerabilities. Vulnerabilities in dependencies of Python (such as zlib, Tcl/Tk, or OpenSSL) From 90d59bd52feb10d0625de66815e7521ad8f267e3 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Thu, 4 Jun 2026 17:27:51 +0100 Subject: [PATCH 2/3] Ooops update sentence below too --- security/policy.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/policy.rst b/security/policy.rst index 880fc2eb4..3c7576337 100644 --- a/security/policy.rst +++ b/security/policy.rst @@ -46,7 +46,8 @@ Availability vulnerabilities must also demonstrate an "upward" change in posture for the attacker, rather than a "lateral" one. Unexpected Python exceptions are not vulnerabilities by themselves unless they satisfy the availability criteria above. -This is to avoid handling performance improvements as security vulnerabilities. +This is to avoid handling performance and correctness improvements as security +vulnerabilities. Vulnerabilities in dependencies of Python (such as zlib, Tcl/Tk, or OpenSSL) are not vulnerabilities in Python unless Python's use of the dependency From 83b83f47e0da9f48c76e33c5b27d37ae8621790d Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 15 Jun 2026 14:58:55 +0100 Subject: [PATCH 3/3] Seth's suggestion (- "arbitrary") Co-authored-by: Seth Larson --- security/policy.rst | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/security/policy.rst b/security/policy.rst index 3c7576337..e9e1c68b1 100644 --- a/security/policy.rst +++ b/security/policy.rst @@ -44,10 +44,9 @@ dead-locks, and resource exhaustion) must be triggerable with data inputs that are reasonably sized for the use case. Availability vulnerabilities must also demonstrate an "upward" change in posture for the attacker, rather than a "lateral" one. -Unexpected Python exceptions are not vulnerabilities by themselves unless they -satisfy the availability criteria above. -This is to avoid handling performance and correctness improvements as security -vulnerabilities. +This is to avoid handling performance improvements as security vulnerabilities. +Exceptions are an expected part of control flow when processing inputs, +therefore crashes resulting from unhandled exceptions are not security vulnerabilities. Vulnerabilities in dependencies of Python (such as zlib, Tcl/Tk, or OpenSSL) are not vulnerabilities in Python unless Python's use of the dependency