This page can be used for reporting security vulnerabilities in any of the Python Cryptographic Authority family of libraries, as well as our infrastructure (e.g. Jenkins we run).
Because we're building libraries for security, we take a very broad view of what constitutes a security vulnerability. Our definition for a vulnerability is:
Anytime it’s possible to write code using the library's public API which does not provide the guarantees that a reasonable developer would expect it to based on our documentation.
For our Jenkins, we are interested in any vulnerabilities that allow an attacker to mutate our infrastructure or would allow them to interfere with artifacts from our release process (e.g. by changing Jenkins' configuration or gaining persistent code execution on our workers).
For our other web properties we are interested in any typical web vulnerabilities, please note that our websites are all (so far as we know) static.
The following findings do not qualify:
Contact us if you want more information.