From d6a44efa496f407efaf67f61499b2c2ca4317aec Mon Sep 17 00:00:00 2001 From: nessita <124304+nessita@users.noreply.github.com> Date: Tue, 4 Feb 2025 08:54:01 -0300 Subject: [PATCH] [5.2.x] Refs #35612 -- Extended docs on how the security team evaluates reports. Co-authored-by: Shai Berger Backport of f609a2da868b2320ecdc0551df3cca360d5b5bc3 from main. --- docs/internals/security.txt | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 6aac9a6b66..4c3aca61e0 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -49,8 +49,14 @@ requires a security release: * The vulnerability is within a :ref:`supported version ` of Django. -* The vulnerability applies to a production-grade Django application. This means - the following do not require a security release: +* The vulnerability does not depend on manual actions that rely on code + external to Django. This includes actions performed by a project's developer + or maintainer using developer tools or the Django CLI. For example, attacks + that require running management commands with uncommon or insecure options + do not qualify. + +* The vulnerability applies to a production-grade Django application. This + means the following scenarios do not require a security release: * Exploits that only affect local development, for example when using :djadmin:`runserver`.