Updated the contributing document to accurately reflect our security process.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16032 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jacob Kaplan-Moss 2011-04-17 14:13:19 +00:00
parent d59baa07f0
commit d78e08f4a0
1 changed files with 7 additions and 7 deletions

View File

@ -104,19 +104,19 @@ following actions:
fix is forthcoming. We'll give a rough timeline and ask the reporter fix is forthcoming. We'll give a rough timeline and ask the reporter
to keep the issue confidential until we announce it. to keep the issue confidential until we announce it.
* Halt all other development as long as is needed to develop a fix, * Focus on developing a fix as quickly as possible and produce patches
including patches against the current and two previous releases. against the current and two previous releases.
* Determine a go-public date for announcing the vulnerability and the fix. * Determine a go-public date for announcing the vulnerability and the fix.
To try to mitigate a possible "arms race" between those applying the To try to mitigate a possible "arms race" between those applying the
patch and those trying to exploit the hole, we will not announce patch and those trying to exploit the hole, we will not announce
security problems immediately. security problems immediately.
* Pre-notify everyone we know to be running the affected version(s) of * Pre-notify third-party distributors of Django ("vendors"). We will send
Django. We will send these notifications through private email these vendor notifications through private email which will include
which will include documentation of the vulnerability, links to the documentation of the vulnerability, links to the relevant patch(es), and a
relevant patch(es), and a request to keep the vulnerability request to keep the vulnerability confidential until the official
confidential until the official go-public date. go-public date.
* Publicly announce the vulnerability and the fix on the pre-determined * Publicly announce the vulnerability and the fix on the pre-determined
go-public date. This will probably mean a new release of Django, but go-public date. This will probably mean a new release of Django, but