Skip to content

Commit 6a0f355

Browse files
SaptakSSaptakS
committed
Adds SECURITY.md to outline our security policies
1 parent 6a032b2 commit 6a0f355

File tree

1 file changed

+46
-0
lines changed

1 file changed

+46
-0
lines changed

.github/SECURITY.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
# Security Policies and Procedures
2+
3+
This document outlines security procedures and general policies for the Django website (`djangoproject.com`). This is separate from [Django's security policies](https://docs.djangoproject.com/en/dev/internals/security/).
4+
5+
* [Reporting a Bug](#reporting-a-bug)
6+
* [Reporting Guidelines](#reporting-guidelines)
7+
* [Disclosure Policy](#disclosure-policy)
8+
* [Comments on this Policy](#comments-on-this-policy)
9+
10+
## Reporting a Bug
11+
12+
The Django website working group is committed to responsible reporting and
13+
disclosure of security-related issue in our website. We appreciate your efforts
14+
and responsible disclosure.
15+
16+
Report security bugs and issue by sending an email to website-wg@djangoproject.com.
17+
For encryption, use: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B
18+
19+
Once you’ve submitted an issue via email, you should receive an acknowledgment
20+
from a member of the website working group within 3 working days. After that,
21+
the website working group will begin their analysis. Depending on the action
22+
to be taken, you may receive followup emails. It can take several weeks before
23+
the website working group comes to a conclusion and resolve the issue.
24+
25+
## Reporting Guidelines
26+
27+
While reporting a security issue related to the Django website, we encourage
28+
to follow few guidelines that helps us in analysis and resolving the issue quicker.
29+
30+
* Include a runnable proof of concept to reproduce the issue
31+
* User input must be sanitized
32+
33+
## Disclosure Policy
34+
35+
When the website working group receives a security bug report, they will
36+
identify and fix the issues in the website, involving the following steps:
37+
38+
* Confirm the problem.
39+
* Audit code to find any potential similar problems.
40+
* Apply the relevant patches to the codebase.
41+
* Deploy the fixed codebase.
42+
43+
## Comments on this Policy
44+
45+
If you have suggestions on how this process could be improved please submit a
46+
pull request.

0 commit comments

Comments
 (0)