diff options
| author | Jacob Kaplan-Moss <jacob@jacobian.org> | 2011-04-17 14:13:19 +0000 |
|---|---|---|
| committer | Jacob Kaplan-Moss <jacob@jacobian.org> | 2011-04-17 14:13:19 +0000 |
| commit | d78e08f4a0129adad0a9ee86d7af3d7203f5c564 (patch) | |
| tree | 2fb4cca069adc4fb2e1de5f840278426239205bf /docs | |
| parent | d59baa07f056b60942052b4809d71eecd323837a (diff) | |
Updated the contributing document to accurately reflect our security process.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16032 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/contributing.txt | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/docs/internals/contributing.txt b/docs/internals/contributing.txt index a46a7d7b54..c3be198add 100644 --- a/docs/internals/contributing.txt +++ b/docs/internals/contributing.txt @@ -104,19 +104,19 @@ following actions: fix is forthcoming. We'll give a rough timeline and ask the reporter to keep the issue confidential until we announce it. - * Halt all other development as long as is needed to develop a fix, - including patches against the current and two previous releases. + * Focus on developing a fix as quickly as possible and produce patches + against the current and two previous releases. * Determine a go-public date for announcing the vulnerability and the fix. To try to mitigate a possible "arms race" between those applying the patch and those trying to exploit the hole, we will not announce security problems immediately. - * Pre-notify everyone we know to be running the affected version(s) of - Django. We will send these notifications through private email - which will include documentation of the vulnerability, links to the - relevant patch(es), and a request to keep the vulnerability - confidential until the official go-public date. + * Pre-notify third-party distributors of Django ("vendors"). We will send + these vendor notifications through private email which will include + documentation of the vulnerability, links to the relevant patch(es), and a + request to keep the vulnerability confidential until the official + go-public date. * Publicly announce the vulnerability and the fix on the pre-determined go-public date. This will probably mean a new release of Django, but |
