diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/security.txt | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt index a3d57e8d7c..5214bf0704 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -347,8 +347,10 @@ will not issue patches or new releases for those versions. Security issue severity levels ============================== -The severity level of a security vulnerability is determined by the attack -type. +The severity level of a security vulnerability is determined primarily by the +attack type. The Django Security Team retains the authority to adjust severity +levels based on the specific characteristics, context, and potential real-world +impact of individual vulnerabilities. Severity levels are: @@ -361,16 +363,21 @@ Severity levels are: * Cross site scripting (XSS) * Cross site request forgery (CSRF) - * Denial-of-service attacks * Broken authentication * **Low** + * Denial-of-service attacks * Sensitive data exposure * Broken session management * Unvalidated redirects/forwards * Issues requiring an uncommon configuration option +For example, a denial-of-service vulnerability that is exploitable by +unauthenticated attackers and affects default Django configurations, causing +severe performance degradation or service unavailability, may be elevated to +**Moderate**, given the potential impact across the Django ecosystem. + .. _security-disclosure: How Django discloses security issues |
