We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.5.x | ✅ |
| < 1.5 | ❌ |
Older releases may receive a fix at maintainers' discretion when the issue is severe and an upgrade is not feasible. The latest 1.x release is always the recommended target.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing:
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of vulnerability (e.g., credential exposure, request smuggling, deserialization issue, etc.)
- Full paths of source file(s) related to the vulnerability
- The location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- The Python version,
hyperpingpackage version, and any relevant transitive dependency versions (pip show hyperping,python --version)
This information will help us triage your report more quickly.
We prefer all communications to be in English.
- The security report is received and assigned a primary handler
- The problem is confirmed and a list of affected versions determined
- Code is audited to find any potential similar problems
- Fixes are prepared for all supported releases
- New versions are released to PyPI as soon as possible, and a GitHub Security Advisory is published
We believe in responsible disclosure. We will coordinate the public disclosure with you, and we prefer to fully disclose the vulnerability once a patch is available on PyPI.
If you have suggestions on how this process could be improved, please submit a pull request or open an issue to discuss.
Thank you for helping keep hyperping-python and our users safe!