| Version | Description | Supported |
|---|---|---|
| master | The stable release of the project | ✅ |
| dev | The actual release of the project | ❌ |
If you think you have found a potential security vulnerability in requests, please email us directly. Do not file a public issue.
If English is not your first language, please try to describe the problem and its impact to the best of your ability. For greater detail, please use your native language and we will try our best to translate it using online services.
Please also include the code you used to find the problem and the shortest amount of code necessary to reproduce it.
Please do not disclose this to anyone else.
We will respect your privacy and will only publicize your involvement if you grant us permission.
This following information discusses the process the requests project follows in response to vulnerability disclosures. If you are disclosing a vulnerability, this section of the documentation lets you know how we will respond to your disclosure.
When you report an issue, one of the project members will respond to you as soon as possible. This initial response will at the very least confirm receipt of the report.
If we were able to rapidly reproduce the issue, the initial response will also contain confirmation of the issue. If we are not, we will often ask for more information about the reproduction scenario.
Our goal is to have a fix for any vulnerability released as soon as possible of the initial disclosure.
Once the fix is prepared, we will notify you that we believe we have a fix. Often we will ask you to confirm the fix resolves the problem in your environment, especially if we are not confident of our reproduction scenario.
At this point, we will prepare for the release. We will also decide on a planned release date, and let you know when it is. This release date will always be on a weekday.
On release day, we will push the patch to our public repository, along with an updated changelog that describes the issue and credits you.