summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authornessita <124304+nessita@users.noreply.github.com>2025-02-04 08:54:01 -0300
committerGitHub <noreply@github.com>2025-02-04 08:54:01 -0300
commitf609a2da868b2320ecdc0551df3cca360d5b5bc3 (patch)
tree8dff18378e4d0195596ad98b28186e2cd30dc392 /docs
parent1330cb570519170bb4397b4fb02c7e3e0657855a (diff)
Refs #35612 -- Extended docs on how the security team evaluates reports.
Co-authored-by: Shai Berger <shai@platonix.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/security.txt10
1 files changed, 8 insertions, 2 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index 6aac9a6b66..4c3aca61e0 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -49,8 +49,14 @@ requires a security release:
* The vulnerability is within a :ref:`supported version <security-support>` of
Django.
-* The vulnerability applies to a production-grade Django application. This means
- the following do not require a security release:
+* The vulnerability does not depend on manual actions that rely on code
+ external to Django. This includes actions performed by a project's developer
+ or maintainer using developer tools or the Django CLI. For example, attacks
+ that require running management commands with uncommon or insecure options
+ do not qualify.
+
+* The vulnerability applies to a production-grade Django application. This
+ means the following scenarios do not require a security release:
* Exploits that only affect local development, for example when using
:djadmin:`runserver`.