The latest minor version of the 2.x release series is supported for security updates.

The Requests team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

Please do not report or discuss security vulnerabilities through public GitHub issues, discussions, or pull requests.

Issues can be reported privately to the maintainers by opening a Security vulnerability report.

Additionally, as Requests is used by the WordPress CMS, security issues can be reported via the WordPress HackerOne program. Full details of the WordPress Security Policy and the list of covered projects and infrastructure can be found on HackerOne.

• Please provide detailed reports with reproducible steps and a clearly defined impact.
• Include the version number of the vulnerable package in your report.
• Fixes are most welcome. A private PR can be created from the security report to work on and discuss the patch.