Opened 3 months ago
Last modified 12 hours ago
#35612 assigned Cleanup/optimization
Emphasise user responsibility within "Reporting security issues" to detail invalid reports
Reported by: | Sarah Boyce | Owned by: | Sarah Boyce |
---|---|---|---|
Component: | Documentation | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When reporting a potential security vulnerability, the user's code must follow security best practices. A user has a responsibility to follow best practices and Django does not mitigate against when a user has introduced a vulnerability themselves (a common example being forgetting to sanitize user input). That an AI tool1 can generating insecure code doesn't change this user responsibility.
Having this explicitly documented aims to help improve the quality of reports and/or reduce the amount of time to reply to invalid reports which follow this pattern.
Maybe a note in reporting security issues that highlights which also links to the security topic is an idea.
1. For context, there was an occasion where a reporter suggested a report is valid because "even ChatGPT" has generated insecure code
Change History (5)
comment:1 by , 3 months ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 2 months ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:3 by , 2 months ago
Has patch: | set |
---|
comment:4 by , 2 months ago
Patch needs improvement: | set |
---|
comment:5 by , 12 hours ago
Owner: | changed from | to
---|---|
Patch needs improvement: | unset |
Accepting based on previous conversations within the Security Team.