From 1f0abb0595ed806a14695398627fc77052bb6b63 Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Mon, 30 Mar 2026 16:59:30 -0300 Subject: [6.0.x] Added section for respecting maintainer time to the security policy. This follows a post from Seth Larson (Security Developer-in-Residence at the PSF): https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies Backport of 90cd510b3b033605907f6521ef98f35d2bd6c3a0 from main. --- docs/internals/security.txt | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 32705584a4..3c7271e0b8 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -43,6 +43,39 @@ the industry-standard 90 days. Confirmed vulnerabilities with a .. _our public Trac instance: https://code.djangoproject.com/query +.. _respecting-maintainer-time: + +Respecting maintainer time +-------------------------- + +Django's security team are volunteers. Please be mindful and respectful of +their time when submitting reports. Your initial report should give the team +enough to make a triage decision, no more. It should include: + +* A brief description of the issue and where in Django it occurs. + +* A minimal, working proof of concept (code snippet or reproduction steps). + +* The versions of Django and Python you tested against. + +* Optionally, a minimal patch with the mitigation for the issue. + +Please do not include severity scores (CVSS or otherwise), lengthy background +sections, multiple headers, or a determination of whether the issue constitutes +a vulnerability. The security team will make those assessments. Extensive +upfront analysis makes triage slower, not faster. If the team confirms the +issue is a valid vulnerability, they will follow up and welcome further detail +at that stage. + +If you have identified multiple potential issues, please wait for a triage +result on your initial report before submitting further ones. Exceptions can be +made for issues that are clearly and directly related to an already reported +finding. Feedback on an initial report is often relevant to subsequent ones, +and taking the time to read and incorporate it leads to better reports overall. + +The security team is not able to process large volumes of reports submitted in +a short period of time, and reports submitted in bulk may be put on hold. + Reporting guidelines -------------------- -- cgit v1.3