Adds SECURITY.md to outline our security policies #2086
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| # Security Policies and Procedures | ||
|
|
||
| This document outlines security procedures and general policies for the Django website (`djangoproject.com`). This is separate from [Django's security policies](https://docs.djangoproject.com/en/dev/internals/security/). | ||
|
|
||
| - [Reporting a Bug](#reporting-a-bug) | ||
| - [Reporting Guidelines](#reporting-guidelines) | ||
| - [Disclosure Policy](#disclosure-policy) | ||
| - [Comments on this Policy](#comments-on-this-policy) | ||
|
|
||
| ## Reporting a Bug | ||
|
|
||
| The Django website working group is committed to responsible reporting and | ||
| disclosure of security-related issue in our website. We appreciate your efforts | ||
| and responsible disclosure. | ||
|
|
||
| Report security bugs and issue by sending an email to [email protected]. | ||
| For encryption, use: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B | ||
|
|
||
| Once you’ve submitted an issue via email, you should receive an acknowledgment | ||
| from a member of the website working group within 3 working days. After that, | ||
| the website working group will begin their analysis. Depending on the action | ||
| to be taken, you may receive followup emails. It can take several weeks before | ||
| the website working group comes to a conclusion and resolve the issue. | ||
|
There was a problem hiding this comment. I have mostly just copied from Django's security policy. We might want to update. There was a problem hiding this comment. I'd remove or extend the 3 working days timeline, we don't need to set a timeline on ourselves like for the framework. |
||
|
|
||
| ## Reporting Guidelines | ||
|
|
||
| While reporting a security issue related to the Django website, we encourage | ||
| to follow few guidelines that helps us in analysis and resolving the issue quicker. | ||
|
There was a problem hiding this comment. "we encourage to follow few guidelines that helps us" => "we encourage you to follow a few guidelines that help us" |
||
|
|
||
| - Include a runnable proof of concept to reproduce the issue | ||
| - User input must be sanitized | ||
|
There was a problem hiding this comment. Are there other website specific guidelines we want to add? There was a problem hiding this comment. What does "User input must be sanitized" means in this context? |
||
|
|
||
| ## Disclosure Policy | ||
|
|
||
| When the website working group receives a security bug report, they will | ||
| identify and fix the issues in the website, involving the following steps: | ||
|
|
||
| - Confirm the problem. | ||
| - Audit code to find any potential similar problems. | ||
| - Apply the relevant patches to the codebase. | ||
| - Deploy the fixed codebase. | ||
|
There was a problem hiding this comment. Do we know how we want to disclose a security issue, since for the website, we don't really need to make releases and ask users to update. Maybe this section should be titled differently. Thoughts? There was a problem hiding this comment. My first thought would be, do we even need a disclosure policy at all? There was a problem hiding this comment. I doubt we'd need to disclose anything unless user data is compromised. |
||
|
|
||
| ## Comments on this Policy | ||
|
|
||
| If you have suggestions on how this process could be improved please submit a | ||
| pull request. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"issue in" => "issues on"