[6.0.x] Adjusted default DoS severity level in Security Policy.

Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main.

1 files changed, 10 insertions, 3 deletions

diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index 4eee394759..300e0b9e6e 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -347,8 +347,10 @@ will not issue patches or new releases for those versions.
 Security issue severity levels
 ==============================
 
-The severity level of a security vulnerability is determined by the attack
-type.
+The severity level of a security vulnerability is determined primarily by the
+attack type. The Django Security Team retains the authority to adjust severity
+levels based on the specific characteristics, context, and potential real-world
+impact of individual vulnerabilities.
 
 Severity levels are:
 
@@ -361,16 +363,21 @@ Severity levels are:
 
   * Cross site scripting (XSS)
   * Cross site request forgery (CSRF)
-  * Denial-of-service attacks
   * Broken authentication
 
 * **Low**
 
+  * Denial-of-service attacks
   * Sensitive data exposure
   * Broken session management
   * Unvalidated redirects/forwards
   * Issues requiring an uncommon configuration option
 
+For example, a denial-of-service vulnerability that is exploitable by
+unauthenticated attackers and affects default Django configurations, causing
+severe performance degradation or service unavailability, may be elevated to
+**Moderate**, given the potential impact across the Django ecosystem.
+
 .. _security-disclosure:
 
 How Django discloses security issues