Updated the contributing document to accurately reflect our security process.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16032 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
d59baa07f0
commit
d78e08f4a0
|
@ -104,19 +104,19 @@ following actions:
|
||||||
fix is forthcoming. We'll give a rough timeline and ask the reporter
|
fix is forthcoming. We'll give a rough timeline and ask the reporter
|
||||||
to keep the issue confidential until we announce it.
|
to keep the issue confidential until we announce it.
|
||||||
|
|
||||||
* Halt all other development as long as is needed to develop a fix,
|
* Focus on developing a fix as quickly as possible and produce patches
|
||||||
including patches against the current and two previous releases.
|
against the current and two previous releases.
|
||||||
|
|
||||||
* Determine a go-public date for announcing the vulnerability and the fix.
|
* Determine a go-public date for announcing the vulnerability and the fix.
|
||||||
To try to mitigate a possible "arms race" between those applying the
|
To try to mitigate a possible "arms race" between those applying the
|
||||||
patch and those trying to exploit the hole, we will not announce
|
patch and those trying to exploit the hole, we will not announce
|
||||||
security problems immediately.
|
security problems immediately.
|
||||||
|
|
||||||
* Pre-notify everyone we know to be running the affected version(s) of
|
* Pre-notify third-party distributors of Django ("vendors"). We will send
|
||||||
Django. We will send these notifications through private email
|
these vendor notifications through private email which will include
|
||||||
which will include documentation of the vulnerability, links to the
|
documentation of the vulnerability, links to the relevant patch(es), and a
|
||||||
relevant patch(es), and a request to keep the vulnerability
|
request to keep the vulnerability confidential until the official
|
||||||
confidential until the official go-public date.
|
go-public date.
|
||||||
|
|
||||||
* Publicly announce the vulnerability and the fix on the pre-determined
|
* Publicly announce the vulnerability and the fix on the pre-determined
|
||||||
go-public date. This will probably mean a new release of Django, but
|
go-public date. This will probably mean a new release of Django, but
|
||||||
|
|
Loading…
Reference in New Issue