From 1f2a56567c565d91d797b8a9071ff77a75b52080 Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Thu, 26 Feb 2026 10:20:21 -0300 Subject: Adjusted default DoS severity level in Security Policy. --- docs/internals/security.txt | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/internals/security.txt b/docs/internals/security.txt index a3d57e8d7c..5214bf0704 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -347,8 +347,10 @@ will not issue patches or new releases for those versions. Security issue severity levels ============================== -The severity level of a security vulnerability is determined by the attack -type. +The severity level of a security vulnerability is determined primarily by the +attack type. The Django Security Team retains the authority to adjust severity +levels based on the specific characteristics, context, and potential real-world +impact of individual vulnerabilities. Severity levels are: @@ -361,16 +363,21 @@ Severity levels are: * Cross site scripting (XSS) * Cross site request forgery (CSRF) - * Denial-of-service attacks * Broken authentication * **Low** + * Denial-of-service attacks * Sensitive data exposure * Broken session management * Unvalidated redirects/forwards * Issues requiring an uncommon configuration option +For example, a denial-of-service vulnerability that is exploitable by +unauthenticated attackers and affects default Django configurations, causing +severe performance degradation or service unavailability, may be elevated to +**Moderate**, given the potential impact across the Django ecosystem. + .. _security-disclosure: How Django discloses security issues -- cgit v1.3