diff --git a/docs/internals/mailing-lists.txt b/docs/internals/mailing-lists.txt index 1ca979fe93..c39d3e3cc5 100644 --- a/docs/internals/mailing-lists.txt +++ b/docs/internals/mailing-lists.txt @@ -94,8 +94,8 @@ Django's components. ``django-announce`` =================== -A (very) low-traffic list for announcing new releases of Django and important -bugfixes. +A (very) low-traffic list for announcing :ref:`upcoming security releases +`, new releases of Django, and security advisories. * `django-announce mailing archive`_ * `django-announce subscription email address`_ diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 7107a105eb..148418e0fe 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -25,14 +25,13 @@ Instead, if you believe you've found something in Django which has security implications, please send a description of the issue via email to ``security@djangoproject.com``. Mail sent to that address reaches a :ref:`subset of the core team `, who can forward security -issues into the private committers' mailing list for broader discussion if -needed. +issues into the private team's mailing list for broader discussion if needed. Once you've submitted an issue via email, you should receive an acknowledgment from a member of the security team within 48 hours, and depending on the action to be taken, you may receive further followup emails. -.. note:: +.. admonition:: Sending encrypted reports If you want to send an encrypted email (*optional*), the public key ID for ``security@djangoproject.com`` is ``0xfcb84b8d1d17f80b``, and this public @@ -48,8 +47,11 @@ Supported versions At any given time, the Django team provides official security support for several versions of Django: -* The `master development branch`_, hosted on GitHub, which will - become the next release of Django, receives security support. +* The `master development branch`_, hosted on GitHub, which will become the + next major release of Django, receives security support. Security issues that + only affect the master development branch and not any stable released versions + are fixed in public without going through the :ref:`disclosure process + `. * The two most recent Django release series receive security support. For example, during the development cycle leading to the @@ -76,11 +78,35 @@ How Django discloses security issues Our process for taking a security issue from private discussion to public disclosure involves multiple steps. -Approximately one week before full public disclosure, we will send -advance notification of the issue to a list of people and -organizations, primarily composed of operating-system vendors and -other distributors of Django. This notification will consist of an -email message, signed with the Django release key, containing: +Approximately one week before public disclosure, we send two notifications: + +First, we notify |django-announce| of the date and approximate time of the +upcoming security release, as well as the severity of the issues. This is to +aid organizations that need to ensure they have staff available to handle +triaging our announcement and upgrade Django as needed. Severity levels are: + +**High**: + +* Remote code execution +* SQL injection + +**Moderate**: + +* Cross site scripting (XSS) +* Cross site request forgery (CSRF) +* Broken authentication + +**Low**: + +* Sensitive data exposure +* Broken session management +* Unvalidated redirects/forwards +* Issues requiring an uncommon configuration option + +Second, we notify a list of :ref:`people and organizations +`, primarily composed of operating-system vendors and +other distributors of Django. This email is signed with the PGP key of someone +from :ref:`Django's release team ` and consists of: * A full description of the issue and the affected versions of Django. @@ -91,15 +117,9 @@ email message, signed with the Django release key, containing: * The date on which the Django team will apply these patches, issue new releases and publicly disclose the issue. -Simultaneously, the reporter of the issue will receive notification of -the date on which we plan to take the issue public. - On the day of disclosure, we will take the following steps: -1. Apply the relevant patch(es) to Django's codebase. The commit - messages for these patches will indicate that they are for security - issues, but will not describe the issue in any detail; instead, - they will warn of upcoming disclosure. +1. Apply the relevant patch(es) to Django's codebase. 2. Issue the relevant release(s), by placing new packages on `the Python Package Index`_ and on the Django website, and tagging the @@ -130,7 +150,6 @@ theirs. The Django team also maintains an :doc:`archive of security issues disclosed in Django`. - .. _security-notifications: Who receives advance notification @@ -187,11 +206,12 @@ Your request **must** include the following information: * A detailed explanation of how you or your organization fit at least one set of criteria listed above. -* A detailed explanation of why you are requesting security - notifications. Again, please keep in mind that this is *not* simply - a list for users of Django, and the overwhelming majority of users - of Django should not request notifications and will not be added to - our notification list if they do. +* A detailed explanation of why you are requesting security notifications. + Again, please keep in mind that this is *not* simply a list for users of + Django, and the overwhelming majority of users should subscribe to + |django-announce| to receive advanced notice of when a security release will + happen, without the details of the issues, rather than request detailed + notifications. * The email address you would like to have added to our notification list. @@ -213,11 +233,3 @@ Please also bear in mind that for any individual or organization, receiving security notifications is a privilege granted at the sole discretion of the Django development team, and that this privilege can be revoked at any time, with or without explanation. - -If you are added to the notification list, security-related emails -will be sent to you by Django's release team, and all notification -emails will be signed with a key authorized to issue Django -releases. The list of authorized keys is in `the Django releasers -file`_. - -.. _the Django releasers file: https://www.djangoproject.com/m/pgp/django-releasers.txt