| Version 5 (modified by , 7 hours ago) ( diff ) |
|---|
Security Team
This page is used by the security team to help with process of analyzing and replying to security reports.
Canned Responses
Report acknowledgement
Hello,
Thank you for your report. We will investigate and get back to you soon. In the meantime, please keep this information confidential.
If you haven't already, please review how the Django security team evaluates reports: https://docs.djangoproject.com/en/dev/internals/security/.
Note that it can take several weeks before we have completed our analysis. There is no need to chase the security team unless you discover new, relevant information. All reports aim to be resolved within the industry-standard 90 days.
Kind regards, the Django Security Team.
DMARC/SPF/Email Spoofing
Hello,
Thank you for your report. The current DMARC and SPF settings are intentional, and we do not consider this a vulnerability.
For more information on how the Django security team evaluates reports, please see: https://docs.djangoproject.com/en/dev/internals/security/.
Kind regards, the Django Security Team.
Report about djangoproject.com
Hello,
Thank you for your report. This mailing list is intended for reporting security issues related to the Django web framework, rather than its website. I will forward your concern to our Ops team, but you can consider this issue closed.
For more information on how the Django security team evaluates reports, please see: https://docs.djangoproject.com/en/dev/internals/security/.
Kind regards, the Django Security Team.
Asked for support instead
Hello,
This mailing list is intended for reporting security issues in the Django web framework, not for support related to using or contributing to Django.
For assistance, please refer to the Getting Help page (https://docs.djangoproject.com/en/dev/faq/help/), where you'll find resources and communities ready to support you. Following these guidelines will also help you structure your question in a way that makes it easier for others to assist.
Thanks for your understanding!
Confirmation of vulnerability
Hello {{ name }},
Thank you for your report and patience. We have confirmed the vulnerability, which has been assigned {{ cve_number }}.
I have attached our proposed mitigation solution. Could you please test the patch to ensure it reliably fixes the issue?
We plan to mention the discoverer of the vulnerability in a blog post. Is "{{ name }}" okay, or would you prefer to be credited differently?
The Django release with this fix is currently planned for {{ planned_release_date }}. Please keep this private until after the updated versions are published.
Thank you again!