summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/security.txt10
1 files changed, 8 insertions, 2 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index 6aac9a6b66..4c3aca61e0 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -49,8 +49,14 @@ requires a security release:
* The vulnerability is within a :ref:`supported version <security-support>` of
Django.
-* The vulnerability applies to a production-grade Django application. This means
- the following do not require a security release:
+* The vulnerability does not depend on manual actions that rely on code
+ external to Django. This includes actions performed by a project's developer
+ or maintainer using developer tools or the Django CLI. For example, attacks
+ that require running management commands with uncommon or insecure options
+ do not qualify.
+
+* The vulnerability applies to a production-grade Django application. This
+ means the following scenarios do not require a security release:
* Exploits that only affect local development, for example when using
:djadmin:`runserver`.