Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Warning You are using TestPyPI – a separate instance of the Python Package Index that allows you to try distribution tools and processes without affecting the real index.

Reporting a security issue

We take security very seriously and ask that you follow our security policy carefully.

Important! If you believe you've identified a security issue with PyPI, DO NOT report the issue in any public forum, including (but not limited to):

  • Our GitHub issue tracker
  • Official or unofficial chat channels
  • Official or unofficial mailing lists

If you've identified a security issue with a project hosted on PyPI

Login to your PyPI account, then visit the project's page on PyPI. At the bottom of the sidebar, click Report project as malware. Supply the following details in the form:

  • A URL to the project in question
  • An explanation of what makes the project a security issue
  • A link to the problematic lines in the project's distributions via inspector.pypi.io

Valid malware reports may include examples of typo-squatting, dependency confusion, data exfiltration, obfuscation, command/control, etc.

If you've identified a security issue with PyPI itself (not a project hosted on PyPI)

Email security@pypi.org, providing as much relevant information as possible, including reproducing steps.

What happens next?

Once you've submitted an issue via email, you should receive an acknowledgment within 48 hours.

Depending on the action to be taken, you may receive further follow-up emails.


This security policy was last updated on March 2024.

Supported by

Python Software Foundation Python Software Foundation PSF Sponsor