[1.10.x] Updated security policy according to current practices.

Also added security release date notifications to django-announce.

Backport of af98a0a25e from master

docs/internals/mailing-lists.txt

@@ -94,8 +94,8 @@ Django's components.
 ``django-announce``
 ===================
 
-A (very) low-traffic list for announcing new releases of Django and important
+A (very) low-traffic list for announcing :ref:`upcoming security releases
-bugfixes.
+<security-disclosure>`, new releases of Django, and security advisories.
 
 * `django-announce mailing archive`_
 * `django-announce subscription email address`_

docs/internals/security.txt

@@ -25,14 +25,13 @@ Instead, if you believe you've found something in Django which has security
 implications, please send a description of the issue via email to
 ``security@djangoproject.com``. Mail sent to that address reaches a
 :ref:`subset of the core team <security-team-list>`, who can forward security
-issues into the private committers' mailing list for broader discussion if
+issues into the private team's mailing list for broader discussion if needed.
-needed.
 
 Once you've submitted an issue via email, you should receive an acknowledgment
 from a member of the security team within 48 hours, and depending on the
 action to be taken, you may receive further followup emails.
 
-.. note::
+.. admonition:: Sending encrypted reports
 
     If you want to send an encrypted email (*optional*), the public key ID for
     ``security@djangoproject.com`` is ``0xfcb84b8d1d17f80b``, and this public
@@ -48,8 +47,11 @@ Supported versions
 At any given time, the Django team provides official security support
 for several versions of Django:
 
-* The `master development branch`_, hosted on GitHub, which will
+* The `master development branch`_, hosted on GitHub, which will become the
-  become the next release of Django, receives security support.
+  next major release of Django, receives security support. Security issues that
+  only affect the master development branch and not any stable released versions
+  are fixed in public without going through the :ref:`disclosure process
+  <security-disclosure>`.
 
 * The two most recent Django release series receive security
   support. For example, during the development cycle leading to the
@@ -76,11 +78,35 @@ How Django discloses security issues
 Our process for taking a security issue from private discussion to
 public disclosure involves multiple steps.
 
-Approximately one week before full public disclosure, we will send
+Approximately one week before public disclosure, we send two notifications:
-advance notification of the issue to a list of people and
+
-organizations, primarily composed of operating-system vendors and
+First, we notify |django-announce| of the date and approximate time of the
-other distributors of Django. This notification will consist of an
+upcoming security release, as well as the severity of the issues. This is to
-email message, signed with the Django release key, containing:
+aid organizations that need to ensure they have staff available to handle
+triaging our announcement and upgrade Django as needed. Severity levels are:
+
+**High**:
+
+* Remote code execution
+* SQL injection
+
+**Moderate**:
+
+* Cross site scripting (XSS)
+* Cross site request forgery (CSRF)
+* Broken authentication
+
+**Low**:
+
+* Sensitive data exposure
+* Broken session management
+* Unvalidated redirects/forwards
+* Issues requiring an uncommon configuration option
+
+Second, we notify a list of :ref:`people and organizations
+<security-notifications>`, primarily composed of operating-system vendors and
+other distributors of Django. This email is signed with the PGP key of someone
+from :ref:`Django's release team <releasers-list>` and consists of:
 
 * A full description of the issue and the affected versions of Django.
 
@@ -91,15 +117,9 @@ email message, signed with the Django release key, containing:
 * The date on which the Django team will apply these patches, issue
   new releases and publicly disclose the issue.
 
-Simultaneously, the reporter of the issue will receive notification of
-the date on which we plan to take the issue public.
-
 On the day of disclosure, we will take the following steps:
 
-1. Apply the relevant patch(es) to Django's codebase. The commit
+1. Apply the relevant patch(es) to Django's codebase.
-   messages for these patches will indicate that they are for security
-   issues, but will not describe the issue in any detail; instead,
-   they will warn of upcoming disclosure.
 
 2. Issue the relevant release(s), by placing new packages on `the
    Python Package Index`_ and on the Django website, and tagging the
@@ -130,7 +150,6 @@ theirs.
 The Django team also maintains an :doc:`archive of security issues
 disclosed in Django</releases/security>`.
 
-
 .. _security-notifications:
 
 Who receives advance notification
@@ -187,11 +206,12 @@ Your request **must** include the following information:
 * A detailed explanation of how you or your organization fit at least
   one set of criteria listed above.
 
-* A detailed explanation of why you are requesting security
+* A detailed explanation of why you are requesting security notifications.
-  notifications. Again, please keep in mind that this is *not* simply
+  Again, please keep in mind that this is *not* simply a list for users of
-  a list for users of Django, and the overwhelming majority of users
+  Django, and the overwhelming majority of users should subscribe to
-  of Django should not request notifications and will not be added to
+  |django-announce| to receive advanced notice of when a security release will
-  our notification list if they do.
+  happen, without the details of the issues, rather than request detailed
+  notifications.
 
 * The email address you would like to have added to our notification
   list.
@@ -213,11 +233,3 @@ Please also bear in mind that for any individual or organization,
 receiving security notifications is a privilege granted at the sole
 discretion of the Django development team, and that this privilege can
 be revoked at any time, with or without explanation.
-
-If you are added to the notification list, security-related emails
-will be sent to you by Django's release team, and all notification
-emails will be signed with a key authorized to issue Django
-releases. The list of authorized keys is in `the Django releasers
-file`_.
-
-.. _the Django releasers file: https://www.djangoproject.com/m/pgp/django-releasers.txt