| Version | Supported |
|---|---|
| Latest PyGitUp release | ✅ |
| All prior versions | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
If you believe you've found a security vulnerability in PyGitUp, please report it by using GitHub's private vulnerability reporting feature.
Please include:
- A clear description of the vulnerability
- A realistic attack scenario demonstrating how untrusted external input leads to the security impact
- Steps to reproduce
- Your assessment of severity and impact
I aim to respond within 7 days and will work with you on a fix and coordinated disclosure on a mutually agreed timeline if the issue is valid.
This security policy applies to the PyGitUp package as distributed via PyPI and the source code in the msiemens/PyGitUp repository.
Security reports must demonstrate that PyGitUp itself is the source of the vulnerability, not simply present in a vulnerable scenario.
The following are not considered PyGitUp vulnerabilities:
-
Vulnerabilities in dependencies. Please report these to the respective projects.
-
Vulnerabilities in Git itself. PyGitUp relies on Git; vulnerabilities in Git should be reported to the Git project.
-
Local access attacks. If an attacker has local access to modify
.gitconfigor.git/configfiles, this represents a broader system compromise, not a PyGitUp vulnerability. -
Social engineering attacks. Attacks that rely on tricking users into performing actions are out of scope.