Status: The Django Software Foundation (DSF) is applying to become a CVE Numbering Authority (CNA). This page describes our intended scope, advisory locations, and contact paths. It will be updated if and when CNA authorization is finalized.
CVE Numbering Authorities assign and manage CVE IDs and records for software vulnerabilities within their defined scope. To learn more about the CVE Program, visit the CVE website.
Scope
The DSF CNA scope covers the Django framework itself, including supported and end-of-life versions listed on the Django downloads page. Third-party packages, redistributions, or unofficial forks of Django are not covered. For those, please contact the respective maintainers or distributors.
| Project | Security Policy | Security Contact |
|---|---|---|
| Django | Security Policy | security@djangoproject.com |
Advisory locations
Security advisories and release information are published in the following places:
- Security advisory archive: https://docs.djangoproject.com/en/stable/releases/security/
- Release announcements (security and non-security): Django Forum release announcements
- Announce mailing list: django-announce
How to report a vulnerability
Do not send vulnerability reports to a CNA inquiries address. To report a security issue in Django, please follow our security policy and contact the Django Security Team at security@djangoproject.com. See https://www.djangoproject.com/security/ for details on our process, timelines, and embargo handling.
How to contact CNA operators
For general questions about the DSF CNA (not for reporting vulnerabilities), email cna@djangoproject.com. We will reply to inquiries related to CNA processes, scope, and CVE record management.
How to modify or dispute a CVE
The DSF CNA will respond to CVE modifications and disputes according to CNA rules. If you believe there is an issue with a CVE record assigned by the DSF, please contact the CNA operators at cna@djangoproject.com. Before reaching out, verify that the CVE record was assigned by the DSF CNA.