#35612: Emphasise user responsibility within "Reporting security issues" to detail
invalid reports
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Type:
| Cleanup/optimization
Status: new | Component:
| Documentation
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When reporting a potential security vulnerability, the user's code must
follow security best practices. A user has a responsibility to follow best
practices and Django does not mitigate against when a user has introduced
a vulnerability themselves (a common example being forgetting to sanitize
user input). That an AI tool^[#note1 1]^ can generating insecure code
doesn't change this user responsibility.
Having this explicitly documented aims to help improve the quality of
reports and/or reduce the amount of time to reply to invalid reports which
follow this pattern.
Maybe a note in [
https://docs.djangoproject.com/en/dev/internals/security
/#reporting-security-issues reporting security issues] that highlights
which also links to the
[
https://docs.djangoproject.com/en/5.0/topics/security/ security topic] is
an idea.
----
[=#note1 1]. For context, there was an occasion where a reporter suggested
a report is valid because "even ChatGPT" has generated insecure code
--
Ticket URL: <
https://code.djangoproject.com/ticket/35612>
Django <
https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.