summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-10-08 08:47:10 +0200
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-10-11 17:15:51 +0200
commita9a7ef7762adf94788425384a2a26ea5cb07462d (patch)
treeb41d9003cd13943f21638f52bdbb035883eaa414 /docs
parentb852989c3073f6748412aac68cbd080c13d0e397 (diff)
[5.1.x] Fixed #35612 -- Added documentation on how the security team evaluates reports.
Co-authored-by: Joshua Olatunji <joshua+github@etentlabs.com> Backport of 9423f8b47673779049f603a7da271d183de7dc1d from main.
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/security.txt35
1 files changed, 35 insertions, 0 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index 55300b01e1..6aac9a6b66 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -38,6 +38,41 @@ action to be taken, you may receive further followup emails.
.. _our public Trac instance: https://code.djangoproject.com/query
+.. _security-report-evaluation:
+
+How does Django evaluate a report
+=================================
+
+These are criteria used by the security team when evaluating whether a report
+requires a security release:
+
+* The vulnerability is within a :ref:`supported version <security-support>` of
+ Django.
+
+* The vulnerability applies to a production-grade Django application. This means
+ the following do not require a security release:
+
+ * Exploits that only affect local development, for example when using
+ :djadmin:`runserver`.
+ * Exploits which fail to follow security best practices, such as failure to
+ sanitize user input. For other examples, see our :ref:`security
+ documentation <cross-site-scripting>`.
+ * Exploits in AI generated code that do not adhere to security best practices.
+
+The security team may conclude that the source of the vulnerability is within
+the Python standard library, in which case the reporter will be asked to report
+the vulnerability to the Python core team. For further details see the `Python
+security guidelines <https://www.python.org/dev/security/>`_.
+
+On occasion, a security release may be issued to help resolve a security
+vulnerability within a popular third-party package. These reports should come
+from the package maintainers.
+
+If you are unsure whether your finding meets these criteria, please still report
+it :ref:`privately by emailing security@djangoproject.com
+<reporting-security-issues>`. The security team will review your report and
+recommend the correct course of action.
+
.. _security-support:
Supported versions