diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-02-21 11:25:31 +0100 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-02-24 08:53:56 +0100 |
| commit | a39d0ff88f6a728ae93dbdc58f0c5e2ee8558424 (patch) | |
| tree | 0161734b0957190469919d7ed555cc4e79413496 /docs | |
| parent | aadc5c569bdf73d9e358c4371f7da18a0410234c (diff) | |
[5.2.x] Updated expectations for when security reports will receive a reply.
Backport of cecb76a942e4c9df518df098b1e62778cfe20f06 from main.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/security.txt | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 4c3aca61e0..f0a3e85f64 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -27,8 +27,13 @@ implications, please send a description of the issue via email to team <https://www.djangoproject.com/foundation/teams/#security-team>`_. Once you've submitted an issue via email, you should receive an acknowledgment -from a member of the security team within 48 hours, and depending on the -action to be taken, you may receive further followup emails. +from a member of the security team within 3 working days. After that, the +security team will begin their analysis. Depending on the action to be taken, +you may receive followup emails. It can take several weeks before the security +team comes to a conclusion. There is no need to chase the security team unless +you discover new, relevant information. All reports aim to be resolved within +the industry-standard 90 days. Confirmed vulnerabilities with a +:ref:`high severity level <severity-levels>` will be addressed promptly. .. admonition:: Sending encrypted reports @@ -110,20 +115,15 @@ will not issue patches or new releases for those versions. .. _main development branch: https://github.com/django/django/ -.. _security-disclosure: - -How Django discloses security issues -==================================== +.. _severity-levels: -Our process for taking a security issue from private discussion to -public disclosure involves multiple steps. +Security issue severity levels +============================== -Approximately one week before public disclosure, we send two notifications: +The severity level of a security vulnerability is determined by the attack +type. -First, we notify |django-announce| of the date and approximate time of the -upcoming security release, as well as the severity of the issues. This is to -aid organizations that need to ensure they have staff available to handle -triaging our announcement and upgrade Django as needed. Severity levels are: +Severity levels are: * **High** @@ -144,6 +144,21 @@ triaging our announcement and upgrade Django as needed. Severity levels are: * Unvalidated redirects/forwards * Issues requiring an uncommon configuration option +.. _security-disclosure: + +How Django discloses security issues +==================================== + +Our process for taking a security issue from private discussion to +public disclosure involves multiple steps. + +Approximately one week before public disclosure, we send two notifications: + +First, we notify |django-announce| of the date and approximate time of the +upcoming security release, as well as the severity of the issues. This is to +aid organizations that need to ensure they have staff available to handle +triaging our announcement and upgrade Django as needed. + Second, we notify a list of :ref:`people and organizations <security-notifications>`, primarily composed of operating-system vendors and other distributors of Django. This email is signed with the PGP key of someone |