Get Support

Security Issues

To report security issues with projects under the Pylons Project send email to: If we determine that your report may be a security issue with the project, we may contact you for further information. We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us. This will allow sufficient time for us to process your report and coordinate disclosure with you.

Once verified and fixed, the following steps will be taken.

  • We will use GitHub's Security Advisory tool to report the issue.
  • GitHub will review our Security Advisory report for compliance with Common Vulnerabilities and Exposures (CVE) rules.
  • If it is compliant, they will submit it to the MITRE Corporation to generate a CVE. This in turn submits the CVE to the National Vulnerability Database (NVD). GitHub notifies us of their decision.
  • Assuming it is compliant, we then publish our Security Advisory on GitHub, which triggers the next steps.
  • GitHub will publish the CVE to the CVE List.
  • GitHub will broadcast our Security Advisory via the GitHub Advisory Database.
  • GitHub will send security alerts to all repositories that use our package (and have opted into security alerts). This includes Dependabot alerts.
  • We will make a bug-fix release.
  • We will send an announcement through our usual channels, including those listed on the Pylons Project website's Contact page.
  • We will provide credit to the reporter or researcher in the vulnerability notice.

General Support

Mail list / Google Group

For help with Pylons Project projects, and to reach the largest audience (over 2800 participants), including requests for help with your code, you may post to the pylons-discuss mail list.

Stack Overflow

Stack Overflow is a question and answer website that is very popular with developers. Questions may be tagged with the project's name, such as Pyramid or WebOb. You may search for related questions, or ask new questions which will notify the tag's followers.

#pyramid on IRC

Pylons Project developers (150-250 participants) are also generally available on the #pyramid channel on the Freenode IRC Network.

GitHub issue trackers

GitHub is the least desirable option. Posting a request for general support to the project's GitHub issue tracker reaches the smallest audience, and takes time away from fixing bugs and adding features. Please don't be "that person".

Using Support Wisely

Before asking a technical question on a mail list or in IRC, please make sure to try the following things (paraphrased from Before You Ask):

  • Reading the manual.
  • Searching the mail list archives.
  • Searching Stack Overflow.
  • Searching the Web.
  • Try to find an answer by inspection or experimentation.
  • If you're a programmer, try to find an answer by reading the source code.

After exhausing these avenues, it's completely appropriate to ask a question on the pylons-discuss mail list or #pyramid and #pylons IRC channels. When you ask your question, please describe what you've learned from the efforts above, as it will help the developers focus on answering your question quickly. It also helps tremendously if you are able to provide a code or configuration snippet that makes the problem easily repeatable.

See also the section "Reporting a Bug" under How to Participate.