Emphasise user responsibility within "Reporting security issues" to detail invalid reports
When reporting a potential security vulnerability, the user's code must follow security best practices. A user has a responsibility to follow best practices and Django does not mitigate against when a user has introduced a vulnerability themselves (a common example being forgetting to sanitize user input). That an AI tool1 can generating insecure code doesn't change this user responsibility.
Having this explicitly documented aims to help improve the quality of reports and/or reduce the amount of time to reply to invalid reports which follow this pattern.
Maybe a note in reporting security issues that highlights which also links to the security topic is an idea.
1. For context, there was an occasion where a reporter suggested a report is valid because "even ChatGPT" has generated insecure code
Change History
(8)
Triage Stage: |
Unreviewed → Accepted
|
Owner: |
set to Olatunji Joshua Kayode
|
Status: |
new → assigned
|
Patch needs improvement: |
set
|
Owner: |
changed from Olatunji Joshua Kayode to Sarah Boyce
|
Patch needs improvement: |
unset
|
Triage Stage: |
Accepted → Ready for checkin
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
Accepting based on previous conversations within the Security Team.