Fixed #20868 -- Added an email to django-announce as a security step.

Thanks garrison for the report.
2013-08-09 16:02:05 -04:00 · 2013-08-09 16:02:05 -04:00 · 5737c57d95
parent db0779dbe1
commit 5737c57d95
1 changed files with 5 additions and 1 deletions
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@ -108,8 +108,12 @@ On the day of disclosure, we will take the following steps:
   relevant patches and new releases, and crediting the reporter of
   the issue (if the reporter wishes to be publicly identified).

+4. Post a notice to the `django-announce`_ mailing list that links to the blog
+   post.
+
 .. _the Python Package Index: http://pypi.python.org/pypi
 .. _the official Django development blog: https://www.djangoproject.com/weblog/
+.. _django-announce: http://groups.google.com/group/django-announce

 If a reported issue is believed to be particularly time-sensitive --
 due to a known exploit in the wild, for example -- the time between
@ -214,4 +218,4 @@ If you are added to the notification list, security-related emails
 will be sent to you by Django's release manager, and all notification
 emails will be signed with the same key used to sign Django releases;
 that key has the ID ``0x3684C0C08C8B2AE1``, and is available from most
-commonly-used keyservers.
+commonly-used keyservers.