[5.2.x] Clarified that only latest dependency versions are valid for security reports.

Backport of bc1bfe12b613334bd625aeb36fd44af96d186c10 from main.
author: Jake Howard <6527489+RealOrangeOne@users.noreply.github.com> 2025-06-18 15:04:34 +0100
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-06-18 11:05:15 -0300
commit: db5da3c91c3122300680c4e7200a463273a5351e (patch)
tree: 147e3da6ebede636feb8cb390a5b9e28faf2944c /docs/internals
parent: 359af3779a66281361aff50629c25e81fcfec048 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index b0798d052e..567446c30e 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -55,6 +55,17 @@ set up, run, and reproduce the issue.
 
 Please do not attach screenshots of code.
 
+Use supported versions of dependencies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Django only :ref:`officially supports <faq-python-version-support>` the latest
+micro release (A.B.C) of Python. Vulnerabilities must be reproducible when all
+relevant dependencies (not limited to Python) are at supported versions.
+
+For example, vulnerabilities that only occur when Django is run on a version of
+Python that is no longer receiving security updates ("end-of-life") are **not
+considered valid**, even if that version is listed as supported by Django.
+
 User input must be sanitized
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
author	Jake Howard <6527489+RealOrangeOne@users.noreply.github.com>	2025-06-18 15:04:34 +0100
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-06-18 11:05:15 -0300
commit	db5da3c91c3122300680c4e7200a463273a5351e (patch)
tree	147e3da6ebede636feb8cb390a5b9e28faf2944c /docs/internals
parent	359af3779a66281361aff50629c25e81fcfec048 (diff)