diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-10-08 08:47:10 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-10-11 17:15:51 +0200 |
| commit | a9a7ef7762adf94788425384a2a26ea5cb07462d (patch) | |
| tree | b41d9003cd13943f21638f52bdbb035883eaa414 /docs | |
| parent | b852989c3073f6748412aac68cbd080c13d0e397 (diff) | |
[5.1.x] Fixed #35612 -- Added documentation on how the security team evaluates reports.
Co-authored-by: Joshua Olatunji <joshua+github@etentlabs.com>
Backport of 9423f8b47673779049f603a7da271d183de7dc1d from main.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/security.txt | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 55300b01e1..6aac9a6b66 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -38,6 +38,41 @@ action to be taken, you may receive further followup emails. .. _our public Trac instance: https://code.djangoproject.com/query +.. _security-report-evaluation: + +How does Django evaluate a report +================================= + +These are criteria used by the security team when evaluating whether a report +requires a security release: + +* The vulnerability is within a :ref:`supported version <security-support>` of + Django. + +* The vulnerability applies to a production-grade Django application. This means + the following do not require a security release: + + * Exploits that only affect local development, for example when using + :djadmin:`runserver`. + * Exploits which fail to follow security best practices, such as failure to + sanitize user input. For other examples, see our :ref:`security + documentation <cross-site-scripting>`. + * Exploits in AI generated code that do not adhere to security best practices. + +The security team may conclude that the source of the vulnerability is within +the Python standard library, in which case the reporter will be asked to report +the vulnerability to the Python core team. For further details see the `Python +security guidelines <https://www.python.org/dev/security/>`_. + +On occasion, a security release may be issued to help resolve a security +vulnerability within a popular third-party package. These reports should come +from the package maintainers. + +If you are unsure whether your finding meets these criteria, please still report +it :ref:`privately by emailing security@djangoproject.com +<reporting-security-issues>`. The security team will review your report and +recommend the correct course of action. + .. _security-support: Supported versions |
