diff --git a/README.md b/README.md
index f2e92c90cc..c205721f23 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,8 @@ identify risks in generative AI systems.
- Check out our [website](https://microsoft.github.io/PyRIT/) for more information
about how to use, install, or contribute to PyRIT.
+- Review our [security policy](https://github.com/microsoft/PyRIT/security/policy)
+ to report vulnerabilities privately through the Microsoft Security Response Center.
- Visit our [Discord server](https://discord.gg/9fMpq3tc8u) to chat with the team and community.
## Trademarks and Citations
diff --git a/doc/contributing/10_release_process.md b/doc/contributing/10_release_process.md
index 4637b9b5cd..8e274debf1 100644
--- a/doc/contributing/10_release_process.md
+++ b/doc/contributing/10_release_process.md
@@ -11,6 +11,23 @@ Follow the instructions according to the order provided.
Before starting the release process, verify the codebase is in a healthy state.
+### Required Release Reviews
+
+Use the existing release work item to record:
+
+- Release owner and target version
+- Links to the UI, documentation, and release notes
+- One reviewer each for development, security, content publishing, and user experience
+
+| Checkpoint | Timing | Completion criteria |
+|---|---|---|
+| Scope freeze | Before release testing | Reviewers assess planned customer-facing changes. Security and compatibility findings are linked and assigned. |
+| Final release candidate | Immediately before publishing | Reviewers approve the final UI, documentation, and release notes. High-priority findings are resolved or covered by an approved customer disclosure. |
+
+Do not publish until all final approvals, including reviewer names and dates, are
+recorded in the release work item. Store details about security vulnerabilities that
+have not yet been publicly disclosed only in the approved private security system.
+
- **Check for pending changes.** Ask other PyRIT maintainers whether they have any in-flight changes that should land before the release.
- **Verify build pipelines.** Confirm that all integration tests and end-to-end tests are passing in the CI pipelines. If any tests are failing, fix them before proceeding.
- **Partner integration tests.** Ensure the partner integration tests are also passing. These tests validate that we are not breaking contracts with partner teams (e.g., Foundry). If any are failing, coordinate with the affected partner teams before proceeding with the release.
@@ -254,6 +271,16 @@ since `downgrade()` risks data loss.
## 10. Publish to PyPI
+Before publishing, complete and retain this checklist in the release work item:
+
+- [ ] Technical reviews of the final customer-facing content and UI are complete, and all high-priority feedback is resolved or has an approved disposition.
+- [ ] Scope-freeze and final-release-candidate reviews are recorded.
+- [ ] The final development, content publishing, security, and user experience approvals are recorded with reviewer names and dates.
+- [ ] Release notes contain the required security and compatibility disclosures described in step 12, including explicit "None known" statements where applicable.
+- [ ] Links to review evidence and the final approved artifacts are retained in the release work item.
+
+Do not publish the package until every item is complete.
+
Create an account on pypi.org if you don't have one yet.
Ask one of the other maintainers to add you to the `pyrit` project on PyPI.
@@ -290,11 +317,30 @@ Make sure that it starts where the last release left off.
Sometimes this tool adds too many changes, or leaves a few out, so it's best to check.
Be sure to check and update the new contributors as well.
Add a header "## Full list of changes" below "## What's changed?".
-In addition to the full notes, we also want a shorter section with just the relevant
-changes that users should be aware of. The shorter section will be under "## What's changed"
-while the full list of changes will be right below.
-Maintenance changes, build pipeline updates, and documentation fixes are not really important for users.
-However, important bug fixes, new features, and breaking changes are good candidates to include.
+Under "## What's changed", summarize the important bug fixes and features that
+customers should know about. Maintenance changes, build pipeline updates, and routine
+documentation fixes can remain in the full list only.
+
+Every release must include these customer-facing sections before "## Full list of changes":
+
+```markdown
+## Security
+
+Describe security fixes and any known high-priority security issues that customers
+must consider, including affected versions and recommended actions. If there are no
+known issues to disclose, write "No known high-priority security issues."
+
+## Breaking changes and compatibility
+
+Describe breaking changes, backward-compatibility issues, affected versions, and
+migration or mitigation steps. If there are none, write "No known breaking changes
+or backward-compatibility issues."
+```
+
+Coordinate the wording of security issues that have not yet been publicly disclosed
+with the security reviewer and MSRC. Do not publish vulnerability details before their
+approved publication date. Confirm in the release work item that these sections match
+the final reviewed content and UI.
If you are unsure about whether to include certain changes please consult with your fellow
maintainers.
When you're done, hit "Publish release" and mark it as the latest release.
diff --git a/doc/myst.yml b/doc/myst.yml
index 374ac62039..5b192d30b0 100644
--- a/doc/myst.yml
+++ b/doc/myst.yml
@@ -39,6 +39,7 @@ project:
- "https://www.youtube.com/watch?v=jq9DcEL3cHE"
toc:
- file: index.md
+ - file: security.md
- file: getting_started/README.md
children:
- file: getting_started/install.md
diff --git a/doc/security.md b/doc/security.md
new file mode 100644
index 0000000000..7182ec913a
--- /dev/null
+++ b/doc/security.md
@@ -0,0 +1,14 @@
+# Security
+
+Microsoft takes the security of PyRIT seriously.
+
+If you believe you have found a security vulnerability, **do not report it through a
+public GitHub issue**. Submit it privately to the
+[Microsoft Security Response Center](https://aka.ms/security.md/msrc/create-report).
+The repository's [security policy](https://github.com/microsoft/PyRIT/security/policy)
+describes alternative reporting methods, the information to include, and Microsoft's
+coordinated vulnerability disclosure policy.
+
+Review the [PyRIT release notes](https://github.com/microsoft/PyRIT/releases) for
+customer-facing security notices, known high-priority security issues, breaking
+changes, and compatibility guidance for each release.
diff --git a/frontend/src/components/Sidebar/Navigation.test.tsx b/frontend/src/components/Sidebar/Navigation.test.tsx
index e25de60a5f..25a4ad45d6 100644
--- a/frontend/src/components/Sidebar/Navigation.test.tsx
+++ b/frontend/src/components/Sidebar/Navigation.test.tsx
@@ -96,6 +96,15 @@ describe("Navigation", () => {
expect(onOpenFeedback).toHaveBeenCalledTimes(1);
});
+ it("links to the public security policy", () => {
+ renderWithProvider(