1
0
mirror of https://github.com/django/django.git synced 2025-10-24 22:26:08 +00:00

Updated expectations for when security reports will receive a reply.

This commit is contained in:
Sarah Boyce
2025-02-21 11:25:31 +01:00
parent 51cab4ad51
commit cecb76a942

View File

@@ -27,8 +27,13 @@ implications, please send a description of the issue via email to
team <https://www.djangoproject.com/foundation/teams/#security-team>`_. team <https://www.djangoproject.com/foundation/teams/#security-team>`_.
Once you've submitted an issue via email, you should receive an acknowledgment Once you've submitted an issue via email, you should receive an acknowledgment
from a member of the security team within 48 hours, and depending on the from a member of the security team within 3 working days. After that, the
action to be taken, you may receive further followup emails. security team will begin their analysis. Depending on the action to be taken,
you may receive followup emails. It can take several weeks before the security
team comes to a conclusion. There is no need to chase the security team unless
you discover new, relevant information. All reports aim to be resolved within
the industry-standard 90 days. Confirmed vulnerabilities with a
:ref:`high severity level <severity-levels>` will be addressed promptly.
.. admonition:: Sending encrypted reports .. admonition:: Sending encrypted reports
@@ -110,20 +115,15 @@ will not issue patches or new releases for those versions.
.. _main development branch: https://github.com/django/django/ .. _main development branch: https://github.com/django/django/
.. _security-disclosure: .. _severity-levels:
How Django discloses security issues Security issue severity levels
==================================== ==============================
Our process for taking a security issue from private discussion to The severity level of a security vulnerability is determined by the attack
public disclosure involves multiple steps. type.
Approximately one week before public disclosure, we send two notifications: Severity levels are:
First, we notify |django-announce| of the date and approximate time of the
upcoming security release, as well as the severity of the issues. This is to
aid organizations that need to ensure they have staff available to handle
triaging our announcement and upgrade Django as needed. Severity levels are:
* **High** * **High**
@@ -144,6 +144,21 @@ triaging our announcement and upgrade Django as needed. Severity levels are:
* Unvalidated redirects/forwards * Unvalidated redirects/forwards
* Issues requiring an uncommon configuration option * Issues requiring an uncommon configuration option
.. _security-disclosure:
How Django discloses security issues
====================================
Our process for taking a security issue from private discussion to
public disclosure involves multiple steps.
Approximately one week before public disclosure, we send two notifications:
First, we notify |django-announce| of the date and approximate time of the
upcoming security release, as well as the severity of the issues. This is to
aid organizations that need to ensure they have staff available to handle
triaging our announcement and upgrade Django as needed.
Second, we notify a list of :ref:`people and organizations Second, we notify a list of :ref:`people and organizations
<security-notifications>`, primarily composed of operating-system vendors and <security-notifications>`, primarily composed of operating-system vendors and
other distributors of Django. This email is signed with the PGP key of someone other distributors of Django. This email is signed with the PGP key of someone