1. ==========================

  2. Django's security policies

  3. ==========================

  4. 

  5. Django's development team is strongly committed to responsible

  6. reporting and disclosure of security-related issues. As such, we've

  7. adopted and follow a set of policies which conform to that ideal and

  8. are geared toward allowing us to deliver timely security updates to

  9. the official distribution of Django, as well as to third-party

  10. distributions.

  11. 

  12. .. _reporting-security-issues:

  13. 

  14. Reporting security issues

  15. =========================

  16. 

  17. **Short version: please report security issues by emailing

  18. [email protected]**.

  19. 

  20. Most normal bugs in Django are reported to `our public Trac instance`_, but

  21. due to the sensitive nature of security issues, we ask that they **not** be

  22. publicly reported in this fashion.

  23. 

  24. Instead, if you believe you've found something in Django which has security

  25. implications, please send a description of the issue via email to

  26. ``[email protected]``. Mail sent to that address reaches the `security

  27. team <https://www.djangoproject.com/foundation/teams/#security-team>`_.

  28. 

  29. Once you've submitted an issue via email, you should receive an acknowledgment

  30. from a member of the security team within 48 hours, and depending on the

  31. action to be taken, you may receive further followup emails.

  32. 

  33. .. admonition:: Sending encrypted reports

  34. 

  35.     If you want to send an encrypted email (*optional*), the public key ID for

  36.     ``[email protected]`` is ``0xfcb84b8d1d17f80b``, and this public

  37.     key is available from most commonly-used keyservers.

  38. 

  39. .. _our public Trac instance: https://code.djangoproject.com/query

  40. 

  41. .. _security-support:

  42. 

  43. Supported versions

  44. ==================

  45. 

  46. At any given time, the Django team provides official security support

  47. for several versions of Django:

  48. 

  49. * The `main development branch`_, hosted on GitHub, which will become the

  50.   next major release of Django, receives security support. Security issues that

  51.   only affect the main development branch and not any stable released versions

  52.   are fixed in public without going through the :ref:`disclosure process

  53.   <security-disclosure>`.

  54. 

  55. * The two most recent Django release series receive security

  56.   support. For example, during the development cycle leading to the

  57.   release of Django 1.5, support will be provided for Django 1.4 and

  58.   Django 1.3. Upon the release of Django 1.5, Django 1.3's security

  59.   support will end.

  60. 

  61. * :term:`Long-term support release`\s will receive security updates for a

  62.   specified period.

  63. 

  64. When new releases are issued for security reasons, the accompanying

  65. notice will include a list of affected versions. This list is

  66. comprised solely of *supported* versions of Django: older versions may

  67. also be affected, but we do not investigate to determine that, and

  68. will not issue patches or new releases for those versions.

  69. 

  70. .. _main development branch: https://github.com/django/django/

  71. 

  72. .. _security-disclosure:

  73. 

  74. How Django discloses security issues

  75. ====================================

  76. 

  77. Our process for taking a security issue from private discussion to

  78. public disclosure involves multiple steps.

  79. 

  80. Approximately one week before public disclosure, we send two notifications:

  81. 

  82. First, we notify |django-announce| of the date and approximate time of the

  83. upcoming security release, as well as the severity of the issues. This is to

  84. aid organizations that need to ensure they have staff available to handle

  85. triaging our announcement and upgrade Django as needed. Severity levels are:

  86. 

  87. **High**:

  88. 

  89. * Remote code execution

  90. * SQL injection

  91. 

  92. **Moderate**:

  93. 

  94. * Cross site scripting (XSS)

  95. * Cross site request forgery (CSRF)

  96. * Denial-of-service attacks

  97. * Broken authentication

  98. 

  99. **Low**:

  100. 

  101. * Sensitive data exposure

  102. * Broken session management

  103. * Unvalidated redirects/forwards

  104. * Issues requiring an uncommon configuration option

  105. 

  106. Second, we notify a list of :ref:`people and organizations

  107. <security-notifications>`, primarily composed of operating-system vendors and

  108. other distributors of Django. This email is signed with the PGP key of someone

  109. from `Django's release team`_ and consists of:

  110. 

  111. * A full description of the issue and the affected versions of Django.

  112. 

  113. * The steps we will be taking to remedy the issue.

  114. 

  115. * The patch(es), if any, that will be applied to Django.

  116. 

  117. * The date on which the Django team will apply these patches, issue

  118.   new releases and publicly disclose the issue.

  119. 

  120. On the day of disclosure, we will take the following steps:

  121. 

  122. #. Apply the relevant patch(es) to Django's codebase.

  123. 

  124. #. Issue the relevant release(s), by placing new packages on `the

  125.    Python Package Index`_ and on the Django website, and tagging the

  126.    new release(s) in Django's git repository.

  127. 

  128. #. Post a public entry on `the official Django development blog`_,

  129.    describing the issue and its resolution in detail, pointing to the

  130.    relevant patches and new releases, and crediting the reporter of

  131.    the issue (if the reporter wishes to be publicly identified).

  132. 

  133. #. Post a notice to the |django-announce| and [email protected]

  134.    mailing lists that links to the blog post.

  135. 

  136. .. _the Python Package Index: https://pypi.org/

  137. .. _the official Django development blog: https://www.djangoproject.com/weblog/

  138. 

  139. If a reported issue is believed to be particularly time-sensitive --

  140. due to a known exploit in the wild, for example -- the time between

  141. advance notification and public disclosure may be shortened

  142. considerably.

  143. 

  144. Additionally, if we have reason to believe that an issue reported to

  145. us affects other frameworks or tools in the Python/web ecosystem, we

  146. may privately contact and discuss those issues with the appropriate

  147. maintainers, and coordinate our own disclosure and resolution with

  148. theirs.

  149. 

  150. The Django team also maintains an :doc:`archive of security issues

  151. disclosed in Django</releases/security>`.

  152. 

  153. .. _Django's release team: https://www.djangoproject.com/foundation/teams/#releasers-team

  154. 

  155. .. _security-notifications:

  156. 

  157. Who receives advance notification

  158. =================================

  159. 

  160. The full list of people and organizations who receive advance

  161. notification of security issues is not and will not be made public.

  162. 

  163. We also aim to keep this list as small as effectively possible, in

  164. order to better manage the flow of confidential information prior to

  165. disclosure. As such, our notification list is *not* simply a list of

  166. users of Django, and being a user of Django is not sufficient reason

  167. to be placed on the notification list.

  168. 

  169. In broad terms, recipients of security notifications fall into three

  170. groups:

  171. 

  172. 1. Operating-system vendors and other distributors of Django who

  173.    provide a suitably-generic (i.e., *not* an individual's personal

  174.    email address) contact address for reporting issues with their

  175.    Django package, or for general security reporting. In either case,

  176.    such addresses **must not** forward to public mailing lists or bug

  177.    trackers. Addresses which forward to the private email of an

  178.    individual maintainer or security-response contact are acceptable,

  179.    although private security trackers or security-response groups are

  180.    strongly preferred.

  181. 

  182. 2. On a case-by-case basis, individual package maintainers who have

  183.    demonstrated a commitment to responding to and responsibly acting

  184.    on these notifications.

  185. 

  186. 3. On a case-by-case basis, other entities who, in the judgment of the

  187.    Django development team, need to be made aware of a pending

  188.    security issue. Typically, membership in this group will consist of

  189.    some of the largest and/or most likely to be severely impacted

  190.    known users or distributors of Django, and will require a

  191.    demonstrated ability to responsibly receive, keep confidential and

  192.    act on these notifications.

  193. 

  194. .. admonition:: Security audit and scanning entities

  195. 

  196.     As a policy, we do not add these types of entities to the notification

  197.     list.

  198. 

  199. Requesting notifications

  200. ========================

  201. 

  202. If you believe that you, or an organization you are authorized to

  203. represent, fall into one of the groups listed above, you can ask to be

  204. added to Django's notification list by emailing

  205. ``[email protected]``. Please use the subject line "Security

  206. notification request".

  207. 

  208. Your request **must** include the following information:

  209. 

  210. * Your full, real name and the name of the organization you represent,

  211.   if applicable, as well as your role within that organization.

  212. 

  213. * A detailed explanation of how you or your organization fit at least

  214.   one set of criteria listed above.

  215. 

  216. * A detailed explanation of why you are requesting security notifications.

  217.   Again, please keep in mind that this is *not* simply a list for users of

  218.   Django, and the overwhelming majority of users should subscribe to

  219.   |django-announce| to receive advanced notice of when a security release will

  220.   happen, without the details of the issues, rather than request detailed

  221.   notifications.

  222. 

  223. * The email address you would like to have added to our notification

  224.   list.

  225. 

  226. * An explanation of who will be receiving/reviewing mail sent to that

  227.   address, as well as information regarding any automated actions that

  228.   will be taken (i.e., filing of a confidential issue in a bug

  229.   tracker).

  230. 

  231. * For individuals, the ID of a public key associated with your address

  232.   which can be used to verify email received from you and encrypt

  233.   email sent to you, as needed.

  234. 

  235. Once submitted, your request will be considered by the Django

  236. development team; you will receive a reply notifying you of the result

  237. of your request within 30 days.

  238. 

  239. Please also bear in mind that for any individual or organization,

  240. receiving security notifications is a privilege granted at the sole

  241. discretion of the Django development team, and that this privilege can

  242. be revoked at any time, with or without explanation.

  243. 

  244. .. admonition:: Provide all required information

  245. 

  246.     A failure to provide the required information in your initial contact

  247.     will count against you when making the decision on whether or not to

  248.     approve your request.
About Sign Up Leave Feedback Contact