You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We did not have any security issues in the past but there might be so I think it is important to have a security policy so users know how to report such with fully disclosing it in a GitHub issue. After all DJA exposes APIs which could be publicly exposed.
I've copied the policy from Django REST Framework and adjusted it. I recommend to read following [guide](https://github.com/google/oss-vulnerability-guide/blob/main/guide.md) which describes how security vulnerabilities are best addressed.
One question remains though is what means do we wanna use to privately communicate with us? Github has [Security Advisories](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) which I recommend we use. But only a admin can create security advisories. Currently as it seems GitHub does not provide a way for the initial communication.
DRF uses googlegroups for this. Not my favorite but do not see a alternatives. Or are there any other suggestions?
If you believe you've found something in Django REST Framework JSON API which has security implications, please **do not raise the issue in a public forum**.
6
+
7
+
Send a description of the issue via email to [[email protected]][security-mail].The project maintainers will then work with you to resolve any issues where required, prior to any public disclosure.
0 commit comments