diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2026-02-26 10:20:21 -0300 |
|---|---|---|
| committer | nessita <124304+nessita@users.noreply.github.com> | 2026-02-26 11:29:36 -0300 |
| commit | 1f2a56567c565d91d797b8a9071ff77a75b52080 (patch) | |
| tree | 36ee181db2e35a7079a458b6a9514a208d1033e9 /docs | |
| parent | 71d1e92e11093feb9a337f6d77078c5e75cbb92f (diff) | |
Adjusted default DoS severity level in Security Policy.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/security.txt | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt index a3d57e8d7c..5214bf0704 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -347,8 +347,10 @@ will not issue patches or new releases for those versions. Security issue severity levels ============================== -The severity level of a security vulnerability is determined by the attack -type. +The severity level of a security vulnerability is determined primarily by the +attack type. The Django Security Team retains the authority to adjust severity +levels based on the specific characteristics, context, and potential real-world +impact of individual vulnerabilities. Severity levels are: @@ -361,16 +363,21 @@ Severity levels are: * Cross site scripting (XSS) * Cross site request forgery (CSRF) - * Denial-of-service attacks * Broken authentication * **Low** + * Denial-of-service attacks * Sensitive data exposure * Broken session management * Unvalidated redirects/forwards * Issues requiring an uncommon configuration option +For example, a denial-of-service vulnerability that is exploitable by +unauthenticated attackers and affects default Django configurations, causing +severe performance degradation or service unavailability, may be elevated to +**Moderate**, given the potential impact across the Django ecosystem. + .. _security-disclosure: How Django discloses security issues |