diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 6aac9a6b66..4c3aca61e0 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -49,8 +49,14 @@ requires a security release: * The vulnerability is within a :ref:`supported version ` of Django. -* The vulnerability applies to a production-grade Django application. This means - the following do not require a security release: +* The vulnerability does not depend on manual actions that rely on code + external to Django. This includes actions performed by a project's developer + or maintainer using developer tools or the Django CLI. For example, attacks + that require running management commands with uncommon or insecure options + do not qualify. + +* The vulnerability applies to a production-grade Django application. This + means the following scenarios do not require a security release: * Exploits that only affect local development, for example when using :djadmin:`runserver`.