[5.2.x] Refs #35612 -- Extended docs on how the security team evaluates reports.

Co-authored-by: Shai Berger <shai@platonix.com> Backport of f609a2da868b2320ecdc0551df3cca360d5b5bc3 from main.
author: nessita <124304+nessita@users.noreply.github.com> 2025-02-04 08:54:01 -0300
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-02-04 08:55:11 -0300
commit: d6a44efa496f407efaf67f61499b2c2ca4317aec (patch)
tree: f6625a221ae55084f50331cb697676a57057c3e8 /docs/internals
parent: 209d0f6143739df8583adb7e93856ad3584c9fdb (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index 6aac9a6b66..4c3aca61e0 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -49,8 +49,14 @@ requires a security release:
 * The vulnerability is within a :ref:`supported version <security-support>` of
   Django.
 
-* The vulnerability applies to a production-grade Django application. This means
-  the following do not require a security release:
+* The vulnerability does not depend on manual actions that rely on code
+  external to Django. This includes actions performed by a project's developer
+  or maintainer using developer tools or the Django CLI. For example, attacks
+  that require running management commands with uncommon or insecure options
+  do not qualify.
+
+* The vulnerability applies to a production-grade Django application. This
+  means the following scenarios do not require a security release:
 
   * Exploits that only affect local development, for example when using
     :djadmin:`runserver`.
author	nessita <124304+nessita@users.noreply.github.com>	2025-02-04 08:54:01 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-02-04 08:55:11 -0300
commit	d6a44efa496f407efaf67f61499b2c2ca4317aec (patch)
tree	f6625a221ae55084f50331cb697676a57057c3e8 /docs/internals
parent	209d0f6143739df8583adb7e93856ad3584c9fdb (diff)