Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues. As such, we’ve adopted and follow a set of policies which conform to that ideal and are geared toward allowing us to deliver timely security updates to the official distribution of Django, as well as to third-party distributions.
Short version: please report security issues by emailing security@djangoproject.com.
Most normal bugs in Django are reported to our public Trac instance, but due to the sensitive nature of security issues, we ask that they not be publicly reported in this fashion.
Instead, if you believe you’ve found something in Django which has security implications, please send a description of the issue via email to security@djangoproject.com. Mail sent to that address reaches a subset of the core development team, who can forward security issues into the private committers’ mailing list for broader discussion if needed.
You can send encrypted email to this address; the public key ID for security@djangoproject.com is 0xfcb84b8d1d17f80b, and this public key is available from most commonly-used keyservers.
Once you’ve submitted an issue via email, you should receive an acknowledgment from a member of the Django development team within 48 hours, and depending on the action to be taken, you may receive further followup emails.
At any given time, the Django team provides official security support for several versions of Django:
When new releases are issued for security reasons, the accompanying notice will include a list of affected versions. This list is comprised solely of supported versions of Django: older versions may also be affected, but we do not investigate to determine that, and will not issue patches or new releases for those versions.
Our process for taking a security issue from private discussion to public disclosure involves multiple steps.
Approximately one week before full public disclosure, we will send advance notification of the issue to a list of people and organizations, primarily composed of operating-system vendors and other distributors of Django. This notification will consist of an email message, signed with the Django release key, containing:
Simultaneously, the reporter of the issue will receive notification of the date on which we plan to take the issue public.
On the day of disclosure, we will take the following steps:
If a reported issue is believed to be particularly time-sensitive – due to a known exploit in the wild, for example – the time between advance notification and public disclosure may be shortened considerably.
Additionally, if we have reason to believe that an issue reported to us affects other frameworks or tools in the Python/web ecosystem, we may privately contact and discuss those issues with the appropriate maintainers, and coordinate our own disclosure and resolution with theirs.
The full list of people and organizations who receive advance notification of security issues is not and will not be made public.
We also aim to keep this list as small as effectively possible, in order to better manage the flow of confidential information prior to disclosure. As such, our notification list is not simply a list of users of Django, and merely being a user of Django is not sufficient reason to be placed on the notification list.
In broad terms, recipients of security notifications fall into three groups:
Additionally, a maximum of six days prior to disclosure, notification will be sent to the distros@vs.openwall.org mailing list, whose membership includes representatives of most major open-source operating system vendors.
If you believe that you, or an organization you are authorized to represent, fall into one of the groups listed above, you can ask to be added to Django’s notification list by emailing security@djangoproject.com. Please use the subject line “Security notification request”.
Your request must include the following information:
Once submitted, your request will be considered by the Django development team; you will receive a reply notifying you of the result of your request within 30 days.
Please also bear in mind that for any individual or organization, receiving security notifications is a privilege granted at the sole discretion of the Django development team, and that this privilege can be revoked at any time, with or without explanation.
If you are added to the notification list, security-related emails will be sent to you by Django’s release manager, and all notification emails will be signed with the same key used to sign Django releases; that key has the ID 0x3684C0C08C8B2AE1, and is available from most commonly-used keyservers.
Dec 23, 2012