[Django] #35612: Emphasise user responsibility within "Reporting security issues" to detail invalid reports
24 views
Skip to first unread message
Django
Jul 17, 2024, 12:08:36 PM7/17/24
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When reporting a potential security vulnerability, the user's code must
follow security best practices. A user has a responsibility to follow best
practices and Django does not mitigate against when a user has introduced
a vulnerability themselves (a common example being forgetting to sanitize
user input). That an AI tool^[#note1 1]^ can generating insecure code
doesn't change this user responsibility.
Having this explicitly documented aims to help improve the quality of
reports and/or reduce the amount of time to reply to invalid reports which
follow this pattern.
Maybe a note in [https://docs.djangoproject.com/en/dev/internals/security
/#reporting-security-issues reporting security issues] that highlights
which also links to the
[https://docs.djangoproject.com/en/5.0/topics/security/ security topic] is
an idea.
----
[=#note1 1]. For context, there was an occasion where a reporter suggested
a report is valid because "even ChatGPT" has generated insecure code
--
Ticket URL: <https://code.djangoproject.com/ticket/35612>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When reporting a potential security vulnerability, the user's code must
follow security best practices. A user has a responsibility to follow best
practices and Django does not mitigate against when a user has introduced
a vulnerability themselves (a common example being forgetting to sanitize
user input). That an AI tool^[#note1 1]^ can generating insecure code
doesn't change this user responsibility.
Having this explicitly documented aims to help improve the quality of
reports and/or reduce the amount of time to reply to invalid reports which
follow this pattern.
Maybe a note in [https://docs.djangoproject.com/en/dev/internals/security
/#reporting-security-issues reporting security issues] that highlights
which also links to the
[https://docs.djangoproject.com/en/5.0/topics/security/ security topic] is
an idea.
----
[=#note1 1]. For context, there was an occasion where a reporter suggested
a report is valid because "even ChatGPT" has generated insecure code
--
Ticket URL: <https://code.djangoproject.com/ticket/35612>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jul 18, 2024, 12:18:07 PM7/18/24
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
--------------------------------------+------------------------------------
invalid reports
Reporter: Sarah Boyce | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Component: Documentation | Version: dev
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Natalia Bidart):
* stage: Unreviewed => Accepted
Comment:
Accepting based on previous conversations within the Security Team.
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:1>
Django
Aug 3, 2024, 6:14:14 PM8/3/24
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
invalid reports
Reporter: Sarah Boyce | Owner: Olatunji
Type: | Joshua Kayode
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Olatunji Joshua Kayode):
* owner: (none) => Olatunji Joshua Kayode
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:2>
Django
Aug 5, 2024, 8:51:18 PM8/5/24
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Olatunji
Type: | Joshua Kayode
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Olatunji
Type: | Joshua Kayode
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Olatunji Joshua Kayode):
* has_patch: 0 => 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Olatunji Joshua Kayode):
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:3>
Django
Aug 7, 2024, 6:05:14 AM8/7/24
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Olatunji
Type: | Joshua Kayode
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Olatunji
Type: | Joshua Kayode
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:4>
Django
Oct 8, 2024, 3:05:39 AM10/8/24
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
invalid reports
-------------------------------------+-------------------------------------
Type: | Boyce
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
* needs_better_patch: 1 => 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
* owner: Olatunji Joshua Kayode => Sarah Boyce
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:5>
Django
Oct 11, 2024, 4:53:08 AM10/11/24
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: assigned
Component: Documentation | Version: dev
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
* stage: Accepted => Ready for checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:6>
Django
Oct 11, 2024, 4:53:21 AM10/11/24
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: closed
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce <42296566+sarahboyce@…>):
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"9423f8b47673779049f603a7da271d183de7dc1d" 9423f8b4]:
{{{#!CommitTicketReference repository=""
revision="9423f8b47673779049f603a7da271d183de7dc1d"
Fixed #35612 -- Added documentation on how the security team evaluates
reports.
Co-authored-by: Joshua Olatunji <joshua...@etentlabs.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:7>
Django
Oct 11, 2024, 11:16:22 AM10/11/24
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Sarah Boyce <42296566+sarahboyce@…>):
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"a9a7ef7762adf94788425384a2a26ea5cb07462d" a9a7ef77]:
{{{#!CommitTicketReference repository=""
revision="a9a7ef7762adf94788425384a2a26ea5cb07462d"
[5.1.x] Fixed #35612 -- Added documentation on how the security team
Backport of 9423f8b47673779049f603a7da271d183de7dc1d from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:8>
Django
Feb 4, 2025, 6:54:10 AMFeb 4
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by GitHub <noreply@…>):
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"f609a2da868b2320ecdc0551df3cca360d5b5bc3" f609a2da]:
{{{#!CommitTicketReference repository=""
revision="f609a2da868b2320ecdc0551df3cca360d5b5bc3"
Refs #35612 -- Extended docs on how the security team evaluates reports.
Co-authored-by: Shai Berger <sh...@platonix.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:9>
Django
Feb 4, 2025, 6:55:34 AMFeb 4
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"d6a44efa496f407efaf67f61499b2c2ca4317aec" d6a44ef]:
{{{#!CommitTicketReference repository=""
revision="d6a44efa496f407efaf67f61499b2c2ca4317aec"
[5.2.x] Refs #35612 -- Extended docs on how the security team evaluates
Backport of f609a2da868b2320ecdc0551df3cca360d5b5bc3 from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:10>
Django
Feb 4, 2025, 6:57:09 AMFeb 4
to django-...@googlegroups.com
#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):
In [changeset:"b814f4ccaa5e228d164fbab8d3dbebbaac617b85" b814f4c]:
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: Sarah
Type: | Boyce
Cleanup/optimization | Status: closed
Component: Documentation | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):
{{{#!CommitTicketReference repository=""
revision="b814f4ccaa5e228d164fbab8d3dbebbaac617b85"
[5.1.x] Refs #35612 -- Extended docs on how the security team evaluates
reports.
Co-authored-by: Shai Berger <sh...@platonix.com>
Backport of f609a2da868b2320ecdc0551df3cca360d5b5bc3 from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35612#comment:11>
Co-authored-by: Shai Berger <sh...@platonix.com>
Backport of f609a2da868b2320ecdc0551df3cca360d5b5bc3 from main.
}}}
--
Reply all
Reply to author
Forward
0 new messages