Security Policy

PySH takes the security of the platform and its users seriously. As an open-source Python automation tool that runs with user-level or elevated privileges on Unix-like systems, the project is committed to responding promptly and responsibly to security reports.

If you believe you have found a security vulnerability in PySH, please do not open a public GitHub issue. Instead, report the vulnerability privately by emailing the maintainer through the GitHub repository's private security advisory feature (Settings → Security → Advisories → Report a vulnerability). You can also use the Contact page to reach the team directly.

When reporting a vulnerability, please include: a description of the issue and its potential impact, steps to reproduce the issue on a clean PySH installation, the PySH version, Python version, and operating system where you discovered the issue, and any proof-of-concept code if available. We will acknowledge receipt within 72 hours and aim to publish a fix or mitigation within 30 days for confirmed vulnerabilities.

PySH follows responsible disclosure principles. We request that you give the project reasonable time to prepare a fix before publishing vulnerability details publicly. We will credit security researchers who report valid issues in the changelog and release notes, unless anonymity is requested.