From efbb99e836bae56d1bdf1511ee8a2b2103313252 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Mon, 29 Jun 2026 13:21:45 +0200
Subject: [PATCH 1/2] Add note on referencing provisional CVE IDs

---
 security/policy.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/policy.rst b/security/policy.rst
index d1accf3c0..c18ea28ec 100644
--- a/security/policy.rst
+++ b/security/policy.rst
@@ -138,6 +138,9 @@ Here's what to expect for how a vulnerability report will be handled:
   may open a public issue.
 * If the PSRT determines the report is a vulnerability, the PSRT will
   accept the report and a CVE ID will be assigned by the PSF CNA.
+
+  Do not publicly reference the assigned CVE ID before its record is published,
+  as the report and ID remain provisional and may still be changed.
 * Once a public pull request containing a fix is merged to CPython,
   the advisory and CVE record will be published with attribution.
 

From 912b8edbd9231dcd3bac1461a42432f2edda9a32 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Mon, 29 Jun 2026 13:26:07 +0200
Subject: [PATCH 2/2] Remove accidental line

---
 security/policy.rst | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/policy.rst b/security/policy.rst
index c18ea28ec..d49f4dedb 100644
--- a/security/policy.rst
+++ b/security/policy.rst
@@ -138,7 +138,6 @@ Here's what to expect for how a vulnerability report will be handled:
   may open a public issue.
 * If the PSRT determines the report is a vulnerability, the PSRT will
   accept the report and a CVE ID will be assigned by the PSF CNA.
-
   Do not publicly reference the assigned CVE ID before its record is published,
   as the report and ID remain provisional and may still be changed.
 * Once a public pull request containing a fix is merged to CPython,