Django's security policies

Django's development team is strongly committed to responsiblereporting and disclosure of security-related issues. As such, we'veadopted and follow a set of policies which conform to that ideal andare geared toward allowing us to deliver timely security updates tothe official distribution of Django, as well as to third-partydistributions.

Reporting security issues

Short version: please report security issues by emailingsecurity@djangoproject.com.

Most normal bugs in Django are reported to our public Trac instance, butdue to the sensitive nature of security issues, we ask that they not bepublicly reported in this fashion.

Instead, if you believe you've found something in Django which has securityimplications, please send a description of the issue via email tosecurity@djangoproject.com. Mail sent to that address reaches the securityteam.

Once you've submitted an issue via email, you should receive an acknowledgmentfrom a member of the security team within 48 hours, and depending on theaction to be taken, you may receive further followup emails.

Sending encrypted reports

If you want to send an encrypted email (optional), the public key ID forsecurity@djangoproject.com is 0xfcb84b8d1d17f80b, and this publickey is available from most commonly-used keyservers.

Supported versions

At any given time, the Django team provides official security supportfor several versions of Django:

  • The master development branch, hosted on GitHub, which will become thenext major release of Django, receives security support. Security issues thatonly affect the master development branch and not any stable released versionsare fixed in public without going through the disclosure process.
  • The two most recent Django release series receive securitysupport. For example, during the development cycle leading to therelease of Django 1.5, support will be provided for Django 1.4 andDjango 1.3. Upon the release of Django 1.5, Django 1.3's securitysupport will end.
  • Long-term support releases will receive security updates for aspecified period.
    When new releases are issued for security reasons, the accompanyingnotice will include a list of affected versions. This list iscomprised solely of supported versions of Django: older versions mayalso be affected, but we do not investigate to determine that, andwill not issue patches or new releases for those versions.

How Django discloses security issues

Our process for taking a security issue from private discussion topublic disclosure involves multiple steps.

Approximately one week before public disclosure, we send two notifications:

First, we notify django-announce of the date and approximate time of theupcoming security release, as well as the severity of the issues. This is toaid organizations that need to ensure they have staff available to handletriaging our announcement and upgrade Django as needed. Severity levels are:

High:

  • Remote code execution

  • SQL injection
    Moderate:

  • Cross site scripting (XSS)

  • Cross site request forgery (CSRF)
  • Denial-of-service attacks

  • Broken authentication
    Low:

  • Sensitive data exposure

  • Broken session management
  • Unvalidated redirects/forwards

  • Issues requiring an uncommon configuration option
    Second, we notify a list of people and organizations, primarily composed of operating-system vendors andother distributors of Django. This email is signed with the PGP key of someonefrom Django's release team and consists of:

  • A full description of the issue and the affected versions of Django.

  • The steps we will be taking to remedy the issue.
  • The patch(es), if any, that will be applied to Django.

  • The date on which the Django team will apply these patches, issuenew releases and publicly disclose the issue.
    On the day of disclosure, we will take the following steps:

  • Apply the relevant patch(es) to Django's codebase.

  • Issue the relevant release(s), by placing new packages on thePython Package Index and on the Django website, and tagging thenew release(s) in Django's git repository.
  • Post a public entry on the official Django development blog,describing the issue and its resolution in detail, pointing to therelevant patches and new releases, and crediting the reporter ofthe issue (if the reporter wishes to be publicly identified).
  • Post a notice to the django-announce and oss-security@lists.openwall.commailing lists that links to the blog post.
    If a reported issue is believed to be particularly time-sensitive —due to a known exploit in the wild, for example — the time betweenadvance notification and public disclosure may be shortenedconsiderably.

Additionally, if we have reason to believe that an issue reported tous affects other frameworks or tools in the Python/web ecosystem, wemay privately contact and discuss those issues with the appropriatemaintainers, and coordinate our own disclosure and resolution withtheirs.

The Django team also maintains an archive of security issuesdisclosed in Django.

Who receives advance notification

The full list of people and organizations who receive advancenotification of security issues is not and will not be made public.

We also aim to keep this list as small as effectively possible, inorder to better manage the flow of confidential information prior todisclosure. As such, our notification list is not simply a list ofusers of Django, and merely being a user of Django is not sufficientreason to be placed on the notification list.

In broad terms, recipients of security notifications fall into threegroups:

  • Operating-system vendors and other distributors of Django whoprovide a suitably-generic (i.e., not an individual's personalemail address) contact address for reporting issues with theirDjango package, or for general security reporting. In either case,such addresses must not forward to public mailing lists or bugtrackers. Addresses which forward to the private email of anindividual maintainer or security-response contact are acceptable,although private security trackers or security-response groups arestrongly preferred.
  • On a case-by-case basis, individual package maintainers who havedemonstrated a commitment to responding to and responsibly actingon these notifications.
  • On a case-by-case basis, other entities who, in the judgment of theDjango development team, need to be made aware of a pendingsecurity issue. Typically, membership in this group will consist ofsome of the largest and/or most likely to be severely impactedknown users or distributors of Django, and will require ademonstrated ability to responsibly receive, keep confidential andact on these notifications.

Requesting notifications

If you believe that you, or an organization you are authorized torepresent, fall into one of the groups listed above, you can ask to beadded to Django's notification list by emailingsecurity@djangoproject.com. Please use the subject line "Securitynotification request".

Your request must include the following information:

  • Your full, real name and the name of the organization you represent,if applicable, as well as your role within that organization.
  • A detailed explanation of how you or your organization fit at leastone set of criteria listed above.
  • A detailed explanation of why you are requesting security notifications.Again, please keep in mind that this is not simply a list for users ofDjango, and the overwhelming majority of users should subscribe todjango-announce to receive advanced notice of when a security release willhappen, without the details of the issues, rather than request detailednotifications.
  • The email address you would like to have added to our notificationlist.
  • An explanation of who will be receiving/reviewing mail sent to thataddress, as well as information regarding any automated actions thatwill be taken (i.e., filing of a confidential issue in a bugtracker).
  • For individuals, the ID of a public key associated with your addresswhich can be used to verify email received from you and encryptemail sent to you, as needed.
    Once submitted, your request will be considered by the Djangodevelopment team; you will receive a reply notifying you of the resultof your request within 30 days.

Please also bear in mind that for any individual or organization,receiving security notifications is a privilege granted at the solediscretion of the Django development team, and that this privilege canbe revoked at any time, with or without explanation.