<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=""> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django’s security policies — Django 1.8.19 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.8.19', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="top" title="Django 1.8.19 documentation" href="../contents.html" /> <link rel="up" title="Django internals" href="index.html" /> <link rel="next" title="Django’s release process" href="release-process.html" /> <link rel="prev" title="Roles" href="roles.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body role="document"> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.8.19 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="roles.html" title="Roles">previous</a> | <a href="index.html" title="Django internals" accesskey="U">up</a> | <a href="release-process.html" title="Django&#8217;s release process">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="internals-security"> <div class="section" id="s-django-s-security-policies"> <span id="s-internals-security"></span><span id="django-s-security-policies"></span><span id="internals-security"></span><h1>Django’s security policies<a class="headerlink" href="#django-s-security-policies" title="Permalink to this headline">¶</a></h1> <p>Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues. As such, we’ve adopted and follow a set of policies which conform to that ideal and are geared toward allowing us to deliver timely security updates to the official distribution of Django, as well as to third-party distributions.</p> <div class="section" id="s-reporting-security-issues"> <span id="s-id1"></span><span id="reporting-security-issues"></span><span id="id1"></span><h2>Reporting security issues<a class="headerlink" href="#reporting-security-issues" title="Permalink to this headline">¶</a></h2> <p><strong>Short version: please report security issues by emailing security@djangoproject.com</strong>.</p> <p>Most normal bugs in Django are reported to <a class="reference external" href="https://code.djangoproject.com/query">our public Trac instance</a>, but due to the sensitive nature of security issues, we ask that they <strong>not</strong> be publicly reported in this fashion.</p> <p>Instead, if you believe you’ve found something in Django which has security implications, please send a description of the issue via email to <code class="docutils literal"><span class="pre">security@djangoproject.com</span></code>. Mail sent to that address reaches a <a class="reference internal" href="roles.html#security-team-list"><span class="std std-ref">subset of the core team</span></a>, who can forward security issues into the private committers’ mailing list for broader discussion if needed.</p> <p>Once you’ve submitted an issue via email, you should receive an acknowledgment from a member of the security team within 48 hours, and depending on the action to be taken, you may receive further followup emails.</p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">If you want to send an encrypted email (<em>optional</em>), the public key ID for <code class="docutils literal"><span class="pre">security@djangoproject.com</span></code> is <code class="docutils literal"><span class="pre">0xfcb84b8d1d17f80b</span></code>, and this public key is available from most commonly-used keyservers.</p> </div> </div> <div class="section" id="s-supported-versions"> <span id="s-security-support"></span><span id="supported-versions"></span><span id="security-support"></span><h2>Supported versions<a class="headerlink" href="#supported-versions" title="Permalink to this headline">¶</a></h2> <p>At any given time, the Django team provides official security support for several versions of Django:</p> <ul class="simple"> <li>The <a class="reference external" href="https://github.com/django/django/">master development branch</a>, hosted on GitHub, which will become the next release of Django, receives security support.</li> <li>The two most recent Django release series receive security support. For example, during the development cycle leading to the release of Django 1.5, support will be provided for Django 1.4 and Django 1.3. Upon the release of Django 1.5, Django 1.3’s security support will end.</li> <li><a class="reference internal" href="release-process.html#lts-releases"><span class="std std-ref">Long-term support (LTS) releases</span></a> will receive security updates for a specified period.</li> </ul> <p>When new releases are issued for security reasons, the accompanying notice will include a list of affected versions. This list is comprised solely of <em>supported</em> versions of Django: older versions may also be affected, but we do not investigate to determine that, and will not issue patches or new releases for those versions.</p> </div> <div class="section" id="s-how-django-discloses-security-issues"> <span id="s-security-disclosure"></span><span id="how-django-discloses-security-issues"></span><span id="security-disclosure"></span><h2>How Django discloses security issues<a class="headerlink" href="#how-django-discloses-security-issues" title="Permalink to this headline">¶</a></h2> <p>Our process for taking a security issue from private discussion to public disclosure involves multiple steps.</p> <p>Approximately one week before full public disclosure, we will send advance notification of the issue to a list of people and organizations, primarily composed of operating-system vendors and other distributors of Django. This notification will consist of an email message, signed with the Django release key, containing:</p> <ul class="simple"> <li>A full description of the issue and the affected versions of Django.</li> <li>The steps we will be taking to remedy the issue.</li> <li>The patch(es), if any, that will be applied to Django.</li> <li>The date on which the Django team will apply these patches, issue new releases and publicly disclose the issue.</li> </ul> <p>Simultaneously, the reporter of the issue will receive notification of the date on which we plan to take the issue public.</p> <p>On the day of disclosure, we will take the following steps:</p> <ol class="arabic simple"> <li>Apply the relevant patch(es) to Django’s codebase. The commit messages for these patches will indicate that they are for security issues, but will not describe the issue in any detail; instead, they will warn of upcoming disclosure.</li> <li>Issue the relevant release(s), by placing new packages on <a class="reference external" href="https://pypi.python.org/pypi">the Python Package Index</a> and on the Django website, and tagging the new release(s) in Django’s git repository.</li> <li>Post a public entry on <a class="reference external" href="https://www.djangoproject.com/weblog/">the official Django development blog</a>, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).</li> <li>Post a notice to the <a class="reference internal" href="mailing-lists.html#django-announce-mailing-list"><span class="std std-ref">django-announce</span></a> mailing list that links to the blog post.</li> </ol> <p>If a reported issue is believed to be particularly time-sensitive – due to a known exploit in the wild, for example – the time between advance notification and public disclosure may be shortened considerably.</p> <p>Additionally, if we have reason to believe that an issue reported to us affects other frameworks or tools in the Python/web ecosystem, we may privately contact and discuss those issues with the appropriate maintainers, and coordinate our own disclosure and resolution with theirs.</p> <p>The Django team also maintains an <a class="reference internal" href="../releases/security.html"><span class="doc">archive of security issues disclosed in Django</span></a>.</p> </div> <div class="section" id="s-who-receives-advance-notification"> <span id="s-security-notifications"></span><span id="who-receives-advance-notification"></span><span id="security-notifications"></span><h2>Who receives advance notification<a class="headerlink" href="#who-receives-advance-notification" title="Permalink to this headline">¶</a></h2> <p>The full list of people and organizations who receive advance notification of security issues is not and will not be made public.</p> <p>We also aim to keep this list as small as effectively possible, in order to better manage the flow of confidential information prior to disclosure. As such, our notification list is <em>not</em> simply a list of users of Django, and merely being a user of Django is not sufficient reason to be placed on the notification list.</p> <p>In broad terms, recipients of security notifications fall into three groups:</p> <ol class="arabic simple"> <li>Operating-system vendors and other distributors of Django who provide a suitably-generic (i.e., <em>not</em> an individual’s personal email address) contact address for reporting issues with their Django package, or for general security reporting. In either case, such addresses <strong>must not</strong> forward to public mailing lists or bug trackers. Addresses which forward to the private email of an individual maintainer or security-response contact are acceptable, although private security trackers or security-response groups are strongly preferred.</li> <li>On a case-by-case basis, individual package maintainers who have demonstrated a commitment to responding to and responsibly acting on these notifications.</li> <li>On a case-by-case basis, other entities who, in the judgment of the Django development team, need to be made aware of a pending security issue. Typically, membership in this group will consist of some of the largest and/or most likely to be severely impacted known users or distributors of Django, and will require a demonstrated ability to responsibly receive, keep confidential and act on these notifications.</li> </ol> <p>Additionally, a maximum of six days prior to disclosure, notification will be sent to the <code class="docutils literal"><span class="pre">distros@vs.openwall.org</span></code> mailing list, whose membership includes representatives of most major open-source operating system vendors.</p> </div> <div class="section" id="s-requesting-notifications"> <span id="requesting-notifications"></span><h2>Requesting notifications<a class="headerlink" href="#requesting-notifications" title="Permalink to this headline">¶</a></h2> <p>If you believe that you, or an organization you are authorized to represent, fall into one of the groups listed above, you can ask to be added to Django’s notification list by emailing <code class="docutils literal"><span class="pre">security@djangoproject.com</span></code>. Please use the subject line “Security notification request”.</p> <p>Your request <strong>must</strong> include the following information:</p> <ul class="simple"> <li>Your full, real name and the name of the organization you represent, if applicable, as well as your role within that organization.</li> <li>A detailed explanation of how you or your organization fit at least one set of criteria listed above.</li> <li>A detailed explanation of why you are requesting security notifications. Again, please keep in mind that this is <em>not</em> simply a list for users of Django, and the overwhelming majority of users of Django should not request notifications and will not be added to our notification list if they do.</li> <li>The email address you would like to have added to our notification list.</li> <li>An explanation of who will be receiving/reviewing mail sent to that address, as well as information regarding any automated actions that will be taken (i.e., filing of a confidential issue in a bug tracker).</li> <li>For individuals, the ID of a public key associated with your address which can be used to verify email received from you and encrypt email sent to you, as needed.</li> </ul> <p>Once submitted, your request will be considered by the Django development team; you will receive a reply notifying you of the result of your request within 30 days.</p> <p>Please also bear in mind that for any individual or organization, receiving security notifications is a privilege granted at the sole discretion of the Django development team, and that this privilege can be revoked at any time, with or without explanation.</p> <p>If you are added to the notification list, security-related emails will be sent to you by Django’s release team, and all notification emails will be signed with a key authorized to issue Django releases. The list of authorized keys is in <a class="reference external" href="https://www.djangoproject.com/m/pgp/django-releasers.txt">the Django releasers file</a>.</p> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar" role="navigation" aria-label="main navigation"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django’s security policies</a><ul> <li><a class="reference internal" href="#reporting-security-issues">Reporting security issues</a></li> <li><a class="reference internal" href="#supported-versions">Supported versions</a></li> <li><a class="reference internal" href="#how-django-discloses-security-issues">How Django discloses security issues</a></li> <li><a class="reference internal" href="#who-receives-advance-notification">Who receives advance notification</a></li> <li><a class="reference internal" href="#requesting-notifications">Requesting notifications</a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="roles.html">Roles</a></li> <li>Next: <a href="release-process.html">Django’s release process</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.8.19 documentation</a> <ul><li><a href="index.html">Django internals</a> <ul><li>Django’s security policies</li></ul> </li></ul> </li> </ul> <div role="note" aria-label="source link"> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/internals/security.txt" rel="nofollow">Show Source</a></li> </ul> </div> <div id="searchbox" style="display: none" role="search"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <div><input type="text" name="q" /></div> <div><input type="submit" value="Go" /></div> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Mar 10, 2018</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="roles.html" title="Roles">previous</a> | <a href="index.html" title="Django internals" accesskey="U">up</a> | <a href="release-process.html" title="Django&#8217;s release process">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>