The Pylons team have set up a mailing list at wsgi-security-announce@googlegroups.com to which any security vulnerabilities that affect Pylons will be announced. Anyone wishing to be notified of vulnerabilities in Pylons should subscribe to this list. Security announcements will only be made once a solution to the problem has been discovered.
Please report security issues by email to both the lead developers of Pylons at the following addresses:
bengroovie.org
security3aims.com
Please DO NOT announce the vulnerability to any mailing lists or on the ticket system because we would not want any malicious person to be aware of the problem before a solution is available.
In the event of a confirmed vulnerability in Pylons itself, we will take the following actions:
This will probably mean a new release of Pylons, but in some cases it may simply be the release of documentation explaining how to avoid the vulnerability.
In the event of a confirmed vulnerability in one of the components that Pylons uses, we will take the following actions: