Opened 2 months ago
Last modified 6 weeks ago
#35612 assigned Cleanup/optimization
Emphasise user responsibility within "Reporting security issues" to detail invalid reports
| Reported by: | Sarah Boyce | Owned by: | Olatunji Joshua Kayode |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
When reporting a potential security vulnerability, the user's code must follow security best practices. A user has a responsibility to follow best practices and Django does not mitigate against when a user has introduced a vulnerability themselves (a common example being forgetting to sanitize user input). That an AI tool1 can generating insecure code doesn't change this user responsibility.
Having this explicitly documented aims to help improve the quality of reports and/or reduce the amount of time to reply to invalid reports which follow this pattern.
Maybe a note in reporting security issues that highlights which also links to the security topic is an idea.
1. For context, there was an occasion where a reporter suggested a report is valid because "even ChatGPT" has generated insecure code
Change History (4)
comment:1 by , 2 months ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 7 weeks ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:3 by , 6 weeks ago
| Has patch: | set |
|---|
comment:4 by , 6 weeks ago
| Patch needs improvement: | set |
|---|
Accepting based on previous conversations within the Security Team.