From cb7e5b2f9565ef972994487085725a675c99546f Mon Sep 17 00:00:00 2001
From: Zanie Blue <contact@zanie.dev>
Date: Tue, 28 Jan 2025 13:16:58 -0600
Subject: [PATCH] Add SECURITY policy

---
 SECURITY.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..b6cd79cf9707
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security policy
+
+## Scope of security vulnerabilities
+
+uv is a Python package manager. Due to the design of the Python packaging ecosystem and the dynamic
+nature of Python itself, there are many cases where uv can execute arbitrary code. For example:
+
+- uv invokes Python interpreters on the system to retrieve metadata
+- uv builds source distributions as described by PEP 517
+- uv may build packages from the requested package indexes
+
+These are not considered vulnerabilities in uv. If you think uv's stance in these areas can be
+hardened, please file an issue for a new feature.
+
+## Reporting a vulnerability
+
+If you have found a possible vulnerability that is not excluded by the above
+[scope](#scope-of-security-vulnerabilities), please email `security at astral dot sh`.
+
+## Bug bounties
+
+While we sincerely appreciate and encourage reports of suspected security problems, please note that
+Astral does not currently run any bug bounty programs.