From 9423f8b47673779049f603a7da271d183de7dc1d Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Tue, 8 Oct 2024 08:47:10 +0200 Subject: [PATCH] Fixed #35612 -- Added documentation on how the security team evaluates reports. Co-authored-by: Joshua Olatunji --- docs/internals/security.txt | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 55300b01e1..6aac9a6b66 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -38,6 +38,41 @@ action to be taken, you may receive further followup emails. .. _our public Trac instance: https://code.djangoproject.com/query +.. _security-report-evaluation: + +How does Django evaluate a report +================================= + +These are criteria used by the security team when evaluating whether a report +requires a security release: + +* The vulnerability is within a :ref:`supported version ` of + Django. + +* The vulnerability applies to a production-grade Django application. This means + the following do not require a security release: + + * Exploits that only affect local development, for example when using + :djadmin:`runserver`. + * Exploits which fail to follow security best practices, such as failure to + sanitize user input. For other examples, see our :ref:`security + documentation `. + * Exploits in AI generated code that do not adhere to security best practices. + +The security team may conclude that the source of the vulnerability is within +the Python standard library, in which case the reporter will be asked to report +the vulnerability to the Python core team. For further details see the `Python +security guidelines `_. + +On occasion, a security release may be issued to help resolve a security +vulnerability within a popular third-party package. These reports should come +from the package maintainers. + +If you are unsure whether your finding meets these criteria, please still report +it :ref:`privately by emailing security@djangoproject.com +`. The security team will review your report and +recommend the correct course of action. + .. _security-support: Supported versions