Adds SECURITY.md to outline our security policies #2086
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| # Security Policies and Procedures | ||
|
|
||
| This document outlines security procedures and general policies for the Django website (`djangoproject.com`). This is separate from [Django's security policies](https://docs.djangoproject.com/en/dev/internals/security/). | ||
|
|
||
| * [Reporting a Bug](#reporting-a-bug) | ||
| * [Reporting Guidelines](#reporting-guidelines) | ||
| * [Disclosure Policy](#disclosure-policy) | ||
| * [Comments on this Policy](#comments-on-this-policy) | ||
|
|
||
| ## Reporting a Bug | ||
|
|
||
| The Django website working group is committed to responsible reporting and | ||
| disclosure of security-related issue in our website. We appreciate your efforts | ||
|
|
||
| and responsible disclosure. | ||
|
|
||
| Report security bugs and issue by sending an email to [email protected]. | ||
| For encryption, use: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B | ||
|
There was a problem hiding this comment. @SaptakS this does not look correct to me. This key is for [email protected]. Our working group does not posses the private key so we would be unable to decrypt messages that were encrypted with this key. Perhaps GitHub's 'report a vulnerability' feature could be recommended instead as a secure alternative? https://github.com/django/djangoproject.com/security/advisories/new |
||
|
|
||
| Once you’ve submitted an issue via email, you should receive an acknowledgment | ||
| from a member of the website working group within 3 working days. After that, | ||
| the website working group will begin their analysis. Depending on the action | ||
| to be taken, you may receive followup emails. It can take several weeks before | ||
| the website working group comes to a conclusion and resolve the issue. | ||
|
There was a problem hiding this comment. I have mostly just copied from Django's security policy. We might want to update. There was a problem hiding this comment. I'd remove or extend the 3 working days timeline, we don't need to set a timeline on ourselves like for the framework. |
||
|
|
||
| ## Reporting Guidelines | ||
|
|
||
| While reporting a security issue related to the Django website, we encourage | ||
| to follow few guidelines that helps us in analysis and resolving the issue quicker. | ||
|
There was a problem hiding this comment. "we encourage to follow few guidelines that helps us" => "we encourage you to follow a few guidelines that help us" |
||
|
|
||
| * Include a runnable proof of concept to reproduce the issue | ||
| * User input must be sanitized | ||
|
|
||
| ## Disclosure Policy | ||
|
|
||
| When the website working group receives a security bug report, they will | ||
| identify and fix the issues in the website, involving the following steps: | ||
|
|
||
| * Confirm the problem. | ||
| * Audit code to find any potential similar problems. | ||
| * Apply the relevant patches to the codebase. | ||
| * Deploy the fixed codebase. | ||
|
|
||
| ## Comments on this Policy | ||
|
|
||
| If you have suggestions on how this process could be improved please submit a | ||
| pull request. | ||
|
Comment on lines
+45
to
+46
There was a problem hiding this comment. Could we make this a direct link to the 'edit file' feature in GitHub? Make it as easy as possible to suggest improvements. |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we mention this also covers
docs.djangoproject.comsince this is the same application?