Refs #35612 -- Extended docs on how the security team evaluates reports.

Co-authored-by: Shai Berger <shai@platonix.com>
2025-02-04 08:54:01 -03:00 · 2025-02-04 08:54:01 -03:00 · f609a2da86
parent 1330cb5705
commit f609a2da86
1 changed files with 8 additions and 2 deletions
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@ -49,8 +49,14 @@ requires a security release:
 * The vulnerability is within a :ref:`supported version <security-support>` of
  Django.

-* The vulnerability applies to a production-grade Django application. This means
-  the following do not require a security release:
+* The vulnerability does not depend on manual actions that rely on code
+  external to Django. This includes actions performed by a project's developer
+  or maintainer using developer tools or the Django CLI. For example, attacks
+  that require running management commands with uncommon or insecure options
+  do not qualify.
+
+* The vulnerability applies to a production-grade Django application. This
+  means the following scenarios do not require a security release:

  * Exploits that only affect local development, for example when using
    :djadmin:`runserver`.