From d016c90108ae58610f5f159bdcfc2a537cb8409b Mon Sep 17 00:00:00 2001
From: Jeffrey 'Alex' Clark <aclark@aclark.net>
Date: Fri, 10 Apr 2026 07:43:12 -0400
Subject: [PATCH] Remove active exploitation escalation bullet from incident
 response

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/INCIDENT_RESPONSE.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/INCIDENT_RESPONSE.md b/.github/INCIDENT_RESPONSE.md
index f2fd90aa7..574647f3e 100644
--- a/.github/INCIDENT_RESPONSE.md
+++ b/.github/INCIDENT_RESPONSE.md
@@ -124,7 +124,6 @@ Vulnerabilities and incidents may be reported or discovered through:
    Numbering Authority — no separate MITRE form required). The CVE is reserved privately
    and published automatically when the advisory goes public.
 6. **Escalation** — Escalate beyond the core maintainer team if any of the following apply:
-   - The vulnerability is being actively exploited in the wild → notify [GitHub Security](mailto:security@github.com) and the [Python Security Response Team](https://www.python.org/news/security/)
    - The fix requires changes to CPython or a dependency outside Pillow's control → contact the relevant upstream immediately
    - A legal concern arises (e.g. GDPR-reportable data exposure) → contact the project's legal/fiscal sponsor
    - The Incident Lead is unreachable for > 24 hours on a Critical issue → any other maintainer may assume the role