mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-12 10:22:37 +00:00
Code Issues 32 Releases Wiki Activity

[5.2.x] Updated expectations for when security reports will receive a reply.

Browse Source 
Backport of cecb76a942e4c9df518df098b1e62778cfe20f06 from main.
This commit is contained in:
Sarah Boyce 2025-02-21 11:25:31 +01:00
parent aadc5c569b
commit a39d0ff88f
1 changed files with 28 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
docs/internals/security.txt
View File

@ -27,8 +27,13 @@ implications, please send a description of the issue via email to
team <https://www.djangoproject.com/foundation/teams/#security-team>`_.
Once you've submitted an issue via email, you should receive an acknowledgment
from a member of the security team within 48 hours, and depending on the
action to be taken, you may receive further followup emails.
from a member of the security team within 3 working days. After that, the
security team will begin their analysis. Depending on the action to be taken,
you may receive followup emails. It can take several weeks before the security
team comes to a conclusion. There is no need to chase the security team unless
you discover new, relevant information. All reports aim to be resolved within
the industry-standard 90 days. Confirmed vulnerabilities with a
:ref:`high severity level <severity-levels>` will be addressed promptly.
.. admonition:: Sending encrypted reports
@ -110,20 +115,15 @@ will not issue patches or new releases for those versions.
.. _main development branch: https://github.com/django/django/
.. _security-disclosure:
.. _severity-levels:
How Django discloses security issues
====================================
Security issue severity levels
==============================
Our process for taking a security issue from private discussion to
public disclosure involves multiple steps.
The severity level of a security vulnerability is determined by the attack
type.
Approximately one week before public disclosure, we send two notifications:
First, we notify |django-announce| of the date and approximate time of the
upcoming security release, as well as the severity of the issues. This is to
aid organizations that need to ensure they have staff available to handle
triaging our announcement and upgrade Django as needed. Severity levels are:
Severity levels are:
* **High**
@ -144,6 +144,21 @@ triaging our announcement and upgrade Django as needed. Severity levels are:
* Unvalidated redirects/forwards
* Issues requiring an uncommon configuration option
.. _security-disclosure:
How Django discloses security issues
====================================
Our process for taking a security issue from private discussion to
public disclosure involves multiple steps.
Approximately one week before public disclosure, we send two notifications:
First, we notify |django-announce| of the date and approximate time of the
upcoming security release, as well as the severity of the issues. This is to
aid organizations that need to ensure they have staff available to handle
triaging our announcement and upgrade Django as needed.
Second, we notify a list of :ref:`people and organizations
<security-notifications>`, primarily composed of operating-system vendors and
other distributors of Django. This email is signed with the PGP key of someone