Opened 3 months ago

Last modified 12 hours ago

#35612 assigned Cleanup/optimization

Emphasise user responsibility within "Reporting security issues" to detail invalid reports

Reported by: Sarah Boyce Owned by: Sarah Boyce
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When reporting a potential security vulnerability, the user's code must follow security best practices. A user has a responsibility to follow best practices and Django does not mitigate against when a user has introduced a vulnerability themselves (a common example being forgetting to sanitize user input). That an AI tool1 can generating insecure code doesn't change this user responsibility.

Having this explicitly documented aims to help improve the quality of reports and/or reduce the amount of time to reply to invalid reports which follow this pattern.

Maybe a note in reporting security issues that highlights which also links to the security topic is an idea.


1. For context, there was an occasion where a reporter suggested a report is valid because "even ChatGPT" has generated insecure code

Change History (5)

comment:1 by Natalia Bidart, 3 months ago

Triage Stage: UnreviewedAccepted

Accepting based on previous conversations within the Security Team.

comment:2 by Olatunji Joshua Kayode, 2 months ago

Owner: set to Olatunji Joshua Kayode
Status: newassigned

comment:3 by Olatunji Joshua Kayode, 2 months ago

Has patch: set

comment:4 by Sarah Boyce, 2 months ago

Patch needs improvement: set

comment:5 by Sarah Boyce, 12 hours ago

Owner: changed from Olatunji Joshua Kayode to Sarah Boyce
Patch needs improvement: unset
Note: See TracTickets for help on using tickets.
Back to Top