From ba5e9ba8fbca9c71644d9ca7062fb9779d670bcf Mon Sep 17 00:00:00 2001 From: Saptak S Date: Fri, 30 May 2025 13:57:59 +0530 Subject: [PATCH 1/2] Adds SECURITY.md to outline our security policies --- .github/SECURITY.md | 46 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000000..27f0477c56 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,46 @@ +# Security Policies and Procedures + +This document outlines security procedures and general policies for the Django website (`djangoproject.com`). This is separate from [Django's security policies](https://docs.djangoproject.com/en/dev/internals/security/). + + * [Reporting a Bug](#reporting-a-bug) + * [Reporting Guidelines](#reporting-guidelines) + * [Disclosure Policy](#disclosure-policy) + * [Comments on this Policy](#comments-on-this-policy) + +## Reporting a Bug + +The Django website working group is committed to responsible reporting and +disclosure of security-related issue in our website. We appreciate your efforts +and responsible disclosure. + +Report security bugs and issue by sending an email to website-wg@djangoproject.com. +For encryption, use: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B + +Once you’ve submitted an issue via email, you should receive an acknowledgment +from a member of the website working group within 3 working days. After that, +the website working group will begin their analysis. Depending on the action +to be taken, you may receive followup emails. It can take several weeks before +the website working group comes to a conclusion and resolve the issue. + +## Reporting Guidelines + +While reporting a security issue related to the Django website, we encourage +to follow few guidelines that helps us in analysis and resolving the issue quicker. + + * Include a runnable proof of concept to reproduce the issue + * User input must be sanitized + +## Disclosure Policy + +When the website working group receives a security bug report, they will +identify and fix the issues in the website, involving the following steps: + + * Confirm the problem. + * Audit code to find any potential similar problems. + * Apply the relevant patches to the codebase. + * Deploy the fixed codebase. + +## Comments on this Policy + +If you have suggestions on how this process could be improved please submit a +pull request. From 240b7588e7361b2d6f97d662704de5badc6f4f2d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Fri, 30 May 2025 08:39:32 +0000 Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .github/SECURITY.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 27f0477c56..efdab7f871 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -2,10 +2,10 @@ This document outlines security procedures and general policies for the Django website (`djangoproject.com`). This is separate from [Django's security policies](https://docs.djangoproject.com/en/dev/internals/security/). - * [Reporting a Bug](#reporting-a-bug) - * [Reporting Guidelines](#reporting-guidelines) - * [Disclosure Policy](#disclosure-policy) - * [Comments on this Policy](#comments-on-this-policy) +- [Reporting a Bug](#reporting-a-bug) +- [Reporting Guidelines](#reporting-guidelines) +- [Disclosure Policy](#disclosure-policy) +- [Comments on this Policy](#comments-on-this-policy) ## Reporting a Bug @@ -27,18 +27,18 @@ the website working group comes to a conclusion and resolve the issue. While reporting a security issue related to the Django website, we encourage to follow few guidelines that helps us in analysis and resolving the issue quicker. - * Include a runnable proof of concept to reproduce the issue - * User input must be sanitized +- Include a runnable proof of concept to reproduce the issue +- User input must be sanitized ## Disclosure Policy When the website working group receives a security bug report, they will identify and fix the issues in the website, involving the following steps: - * Confirm the problem. - * Audit code to find any potential similar problems. - * Apply the relevant patches to the codebase. - * Deploy the fixed codebase. +- Confirm the problem. +- Audit code to find any potential similar problems. +- Apply the relevant patches to the codebase. +- Deploy the fixed codebase. ## Comments on this Policy