mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Updated expectations for when security reports will receive a reply.
This commit is contained in:
		| @@ -27,8 +27,13 @@ implications, please send a description of the issue via email to | |||||||
| team <https://www.djangoproject.com/foundation/teams/#security-team>`_. | team <https://www.djangoproject.com/foundation/teams/#security-team>`_. | ||||||
|  |  | ||||||
| Once you've submitted an issue via email, you should receive an acknowledgment | Once you've submitted an issue via email, you should receive an acknowledgment | ||||||
| from a member of the security team within 48 hours, and depending on the | from a member of the security team within 3 working days. After that, the | ||||||
| action to be taken, you may receive further followup emails. | security team will begin their analysis. Depending on the action to be taken, | ||||||
|  | you may receive followup emails. It can take several weeks before the security | ||||||
|  | team comes to a conclusion. There is no need to chase the security team unless | ||||||
|  | you discover new, relevant information. All reports aim to be resolved within | ||||||
|  | the industry-standard 90 days. Confirmed vulnerabilities with a | ||||||
|  | :ref:`high severity level <severity-levels>` will be addressed promptly. | ||||||
|  |  | ||||||
| .. admonition:: Sending encrypted reports | .. admonition:: Sending encrypted reports | ||||||
|  |  | ||||||
| @@ -110,20 +115,15 @@ will not issue patches or new releases for those versions. | |||||||
|  |  | ||||||
| .. _main development branch: https://github.com/django/django/ | .. _main development branch: https://github.com/django/django/ | ||||||
|  |  | ||||||
| .. _security-disclosure: | .. _severity-levels: | ||||||
|  |  | ||||||
| How Django discloses security issues | Security issue severity levels | ||||||
| ==================================== | ============================== | ||||||
|  |  | ||||||
| Our process for taking a security issue from private discussion to | The severity level of a security vulnerability is determined by the attack | ||||||
| public disclosure involves multiple steps. | type. | ||||||
|  |  | ||||||
| Approximately one week before public disclosure, we send two notifications: | Severity levels are: | ||||||
|  |  | ||||||
| First, we notify |django-announce| of the date and approximate time of the |  | ||||||
| upcoming security release, as well as the severity of the issues. This is to |  | ||||||
| aid organizations that need to ensure they have staff available to handle |  | ||||||
| triaging our announcement and upgrade Django as needed. Severity levels are: |  | ||||||
|  |  | ||||||
| * **High** | * **High** | ||||||
|  |  | ||||||
| @@ -144,6 +144,21 @@ triaging our announcement and upgrade Django as needed. Severity levels are: | |||||||
|   * Unvalidated redirects/forwards |   * Unvalidated redirects/forwards | ||||||
|   * Issues requiring an uncommon configuration option |   * Issues requiring an uncommon configuration option | ||||||
|  |  | ||||||
|  | .. _security-disclosure: | ||||||
|  |  | ||||||
|  | How Django discloses security issues | ||||||
|  | ==================================== | ||||||
|  |  | ||||||
|  | Our process for taking a security issue from private discussion to | ||||||
|  | public disclosure involves multiple steps. | ||||||
|  |  | ||||||
|  | Approximately one week before public disclosure, we send two notifications: | ||||||
|  |  | ||||||
|  | First, we notify |django-announce| of the date and approximate time of the | ||||||
|  | upcoming security release, as well as the severity of the issues. This is to | ||||||
|  | aid organizations that need to ensure they have staff available to handle | ||||||
|  | triaging our announcement and upgrade Django as needed. | ||||||
|  |  | ||||||
| Second, we notify a list of :ref:`people and organizations | Second, we notify a list of :ref:`people and organizations | ||||||
| <security-notifications>`, primarily composed of operating-system vendors and | <security-notifications>`, primarily composed of operating-system vendors and | ||||||
| other distributors of Django. This email is signed with the PGP key of someone | other distributors of Django. This email is signed with the PGP key of someone | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user