2
0

security.txt 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283
  1. ==========================
  2. Django's security policies
  3. ==========================
  4. Django's development team is strongly committed to responsible
  5. reporting and disclosure of security-related issues. As such, we've
  6. adopted and follow a set of policies which conform to that ideal and
  7. are geared toward allowing us to deliver timely security updates to
  8. the official distribution of Django, as well as to third-party
  9. distributions.
  10. .. _reporting-security-issues:
  11. Reporting security issues
  12. =========================
  13. **Short version: please report security issues by emailing
  14. security@djangoproject.com**.
  15. Most normal bugs in Django are reported to `our public Trac instance`_, but
  16. due to the sensitive nature of security issues, we ask that they **not** be
  17. publicly reported in this fashion.
  18. Instead, if you believe you've found something in Django which has security
  19. implications, please send a description of the issue via email to
  20. ``security@djangoproject.com``. Mail sent to that address reaches the `security
  21. team <https://www.djangoproject.com/foundation/teams/#security-team>`_.
  22. Once you've submitted an issue via email, you should receive an acknowledgment
  23. from a member of the security team within 48 hours, and depending on the
  24. action to be taken, you may receive further followup emails.
  25. .. admonition:: Sending encrypted reports
  26. If you want to send an encrypted email (*optional*), the public key ID for
  27. ``security@djangoproject.com`` is ``0xfcb84b8d1d17f80b``, and this public
  28. key is available from most commonly-used keyservers.
  29. .. _our public Trac instance: https://code.djangoproject.com/query
  30. .. _security-report-evaluation:
  31. How does Django evaluate a report
  32. =================================
  33. These are criteria used by the security team when evaluating whether a report
  34. requires a security release:
  35. * The vulnerability is within a :ref:`supported version <security-support>` of
  36. Django.
  37. * The vulnerability applies to a production-grade Django application. This means
  38. the following do not require a security release:
  39. * Exploits that only affect local development, for example when using
  40. :djadmin:`runserver`.
  41. * Exploits which fail to follow security best practices, such as failure to
  42. sanitize user input. For other examples, see our :ref:`security
  43. documentation <cross-site-scripting>`.
  44. * Exploits in AI generated code that do not adhere to security best practices.
  45. The security team may conclude that the source of the vulnerability is within
  46. the Python standard library, in which case the reporter will be asked to report
  47. the vulnerability to the Python core team. For further details see the `Python
  48. security guidelines <https://www.python.org/dev/security/>`_.
  49. On occasion, a security release may be issued to help resolve a security
  50. vulnerability within a popular third-party package. These reports should come
  51. from the package maintainers.
  52. If you are unsure whether your finding meets these criteria, please still report
  53. it :ref:`privately by emailing security@djangoproject.com
  54. <reporting-security-issues>`. The security team will review your report and
  55. recommend the correct course of action.
  56. .. _security-support:
  57. Supported versions
  58. ==================
  59. At any given time, the Django team provides official security support
  60. for several versions of Django:
  61. * The `main development branch`_, hosted on GitHub, which will become the
  62. next major release of Django, receives security support. Security issues that
  63. only affect the main development branch and not any stable released versions
  64. are fixed in public without going through the :ref:`disclosure process
  65. <security-disclosure>`.
  66. * The two most recent Django release series receive security
  67. support. For example, during the development cycle leading to the
  68. release of Django 1.5, support will be provided for Django 1.4 and
  69. Django 1.3. Upon the release of Django 1.5, Django 1.3's security
  70. support will end.
  71. * :term:`Long-term support release`\s will receive security updates for a
  72. specified period.
  73. When new releases are issued for security reasons, the accompanying
  74. notice will include a list of affected versions. This list is
  75. comprised solely of *supported* versions of Django: older versions may
  76. also be affected, but we do not investigate to determine that, and
  77. will not issue patches or new releases for those versions.
  78. .. _main development branch: https://github.com/django/django/
  79. .. _security-disclosure:
  80. How Django discloses security issues
  81. ====================================
  82. Our process for taking a security issue from private discussion to
  83. public disclosure involves multiple steps.
  84. Approximately one week before public disclosure, we send two notifications:
  85. First, we notify |django-announce| of the date and approximate time of the
  86. upcoming security release, as well as the severity of the issues. This is to
  87. aid organizations that need to ensure they have staff available to handle
  88. triaging our announcement and upgrade Django as needed. Severity levels are:
  89. * **High**
  90. * Remote code execution
  91. * SQL injection
  92. * **Moderate**
  93. * Cross site scripting (XSS)
  94. * Cross site request forgery (CSRF)
  95. * Denial-of-service attacks
  96. * Broken authentication
  97. * **Low**
  98. * Sensitive data exposure
  99. * Broken session management
  100. * Unvalidated redirects/forwards
  101. * Issues requiring an uncommon configuration option
  102. Second, we notify a list of :ref:`people and organizations
  103. <security-notifications>`, primarily composed of operating-system vendors and
  104. other distributors of Django. This email is signed with the PGP key of someone
  105. from `Django's release team`_ and consists of:
  106. * A full description of the issue and the affected versions of Django.
  107. * The steps we will be taking to remedy the issue.
  108. * The patch(es), if any, that will be applied to Django.
  109. * The date on which the Django team will apply these patches, issue
  110. new releases and publicly disclose the issue.
  111. On the day of disclosure, we will take the following steps:
  112. #. Apply the relevant patch(es) to Django's codebase.
  113. #. Issue the relevant release(s), by placing new packages on the :pypi:`Python
  114. Package Index <Django>` and on the `djangoproject.com website
  115. <https://www.djangoproject.com/download/>`_, and tagging the new release(s)
  116. in Django's git repository.
  117. #. Post a public entry on `the official Django development blog`_,
  118. describing the issue and its resolution in detail, pointing to the
  119. relevant patches and new releases, and crediting the reporter of
  120. the issue (if the reporter wishes to be publicly identified).
  121. #. Post a notice to the |django-announce| and oss-security@lists.openwall.com
  122. mailing lists that links to the blog post.
  123. .. _the official Django development blog: https://www.djangoproject.com/weblog/
  124. If a reported issue is believed to be particularly time-sensitive --
  125. due to a known exploit in the wild, for example -- the time between
  126. advance notification and public disclosure may be shortened
  127. considerably.
  128. Additionally, if we have reason to believe that an issue reported to
  129. us affects other frameworks or tools in the Python/web ecosystem, we
  130. may privately contact and discuss those issues with the appropriate
  131. maintainers, and coordinate our own disclosure and resolution with
  132. theirs.
  133. The Django team also maintains an :doc:`archive of security issues
  134. disclosed in Django</releases/security>`.
  135. .. _Django's release team: https://www.djangoproject.com/foundation/teams/#releasers-team
  136. .. _security-notifications:
  137. Who receives advance notification
  138. =================================
  139. The full list of people and organizations who receive advance
  140. notification of security issues is not and will not be made public.
  141. We also aim to keep this list as small as effectively possible, in
  142. order to better manage the flow of confidential information prior to
  143. disclosure. As such, our notification list is *not* simply a list of
  144. users of Django, and being a user of Django is not sufficient reason
  145. to be placed on the notification list.
  146. In broad terms, recipients of security notifications fall into three
  147. groups:
  148. 1. Operating-system vendors and other distributors of Django who
  149. provide a suitably-generic (i.e., *not* an individual's personal
  150. email address) contact address for reporting issues with their
  151. Django package, or for general security reporting. In either case,
  152. such addresses **must not** forward to public mailing lists or bug
  153. trackers. Addresses which forward to the private email of an
  154. individual maintainer or security-response contact are acceptable,
  155. although private security trackers or security-response groups are
  156. strongly preferred.
  157. 2. On a case-by-case basis, individual package maintainers who have
  158. demonstrated a commitment to responding to and responsibly acting
  159. on these notifications.
  160. 3. On a case-by-case basis, other entities who, in the judgment of the
  161. Django development team, need to be made aware of a pending
  162. security issue. Typically, membership in this group will consist of
  163. some of the largest and/or most likely to be severely impacted
  164. known users or distributors of Django, and will require a
  165. demonstrated ability to responsibly receive, keep confidential and
  166. act on these notifications.
  167. .. admonition:: Security audit and scanning entities
  168. As a policy, we do not add these types of entities to the notification
  169. list.
  170. Requesting notifications
  171. ========================
  172. If you believe that you, or an organization you are authorized to
  173. represent, fall into one of the groups listed above, you can ask to be
  174. added to Django's notification list by emailing
  175. ``security@djangoproject.com``. Please use the subject line "Security
  176. notification request".
  177. Your request **must** include the following information:
  178. * Your full, real name and the name of the organization you represent,
  179. if applicable, as well as your role within that organization.
  180. * A detailed explanation of how you or your organization fit at least
  181. one set of criteria listed above.
  182. * A detailed explanation of why you are requesting security notifications.
  183. Again, please keep in mind that this is *not* simply a list for users of
  184. Django, and the overwhelming majority of users should subscribe to
  185. |django-announce| to receive advanced notice of when a security release will
  186. happen, without the details of the issues, rather than request detailed
  187. notifications.
  188. * The email address you would like to have added to our notification
  189. list.
  190. * An explanation of who will be receiving/reviewing mail sent to that
  191. address, as well as information regarding any automated actions that
  192. will be taken (i.e., filing of a confidential issue in a bug
  193. tracker).
  194. * For individuals, the ID of a public key associated with your address
  195. which can be used to verify email received from you and encrypt
  196. email sent to you, as needed.
  197. Once submitted, your request will be considered by the Django
  198. development team; you will receive a reply notifying you of the result
  199. of your request within 30 days.
  200. Please also bear in mind that for any individual or organization,
  201. receiving security notifications is a privilege granted at the sole
  202. discretion of the Django development team, and that this privilege can
  203. be revoked at any time, with or without explanation.
  204. .. admonition:: Provide all required information
  205. A failure to provide the required information in your initial contact
  206. will count against you when making the decision on whether or not to
  207. approve your request.