Opened 4 months ago

Closed 4 weeks ago

Last modified 4 weeks ago

#35612 closed Cleanup/optimization (fixed)

Emphasise user responsibility within "Reporting security issues" to detail invalid reports

Reported by: Sarah Boyce Owned by: Sarah Boyce
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When reporting a potential security vulnerability, the user's code must follow security best practices. A user has a responsibility to follow best practices and Django does not mitigate against when a user has introduced a vulnerability themselves (a common example being forgetting to sanitize user input). That an AI tool1 can generating insecure code doesn't change this user responsibility.

Having this explicitly documented aims to help improve the quality of reports and/or reduce the amount of time to reply to invalid reports which follow this pattern.

Maybe a note in reporting security issues that highlights which also links to the security topic is an idea.


1. For context, there was an occasion where a reporter suggested a report is valid because "even ChatGPT" has generated insecure code

Change History (8)

comment:1 by Natalia Bidart, 4 months ago

Triage Stage: UnreviewedAccepted

Accepting based on previous conversations within the Security Team.

comment:2 by Olatunji Joshua Kayode, 3 months ago

Owner: set to Olatunji Joshua Kayode
Status: newassigned

comment:3 by Olatunji Joshua Kayode, 3 months ago

Has patch: set

comment:4 by Sarah Boyce, 3 months ago

Patch needs improvement: set

comment:5 by Sarah Boyce, 4 weeks ago

Owner: changed from Olatunji Joshua Kayode to Sarah Boyce
Patch needs improvement: unset

comment:6 by Sarah Boyce, 4 weeks ago

Triage Stage: AcceptedReady for checkin

comment:7 by Sarah Boyce <42296566+sarahboyce@…>, 4 weeks ago

Resolution: fixed
Status: assignedclosed

In 9423f8b4:

Fixed #35612 -- Added documentation on how the security team evaluates reports.

Co-authored-by: Joshua Olatunji <joshua+github@…>

comment:8 by Sarah Boyce <42296566+sarahboyce@…>, 4 weeks ago

In a9a7ef77:

[5.1.x] Fixed #35612 -- Added documentation on how the security team evaluates reports.

Co-authored-by: Joshua Olatunji <joshua+github@…>

Backport of 9423f8b47673779049f603a7da271d183de7dc1d from main.

Note: See TracTickets for help on using tickets.
Back to Top