The Django Software Foundation is a CVE Numbering Authority since October 2025.
A CVE Numbering Authority (CNA for short) assign and manage CVE IDs and records for software vulnerabilities within their defined scope. To learn more about the CVE Program, visit the CVE website.
Scope
The DSF CNA scope covers the Django framework itself, including supported and end-of-life versions listed on the Django downloads page. Third-party packages, redistributions, or unofficial forks of Django are not covered. For those, please contact the respective maintainers or distributors.
| Project | Security Policy | Contact |
|---|---|---|
| Django | Security Policy | security@djangoproject.com |
Advisory locations
Security advisories and release information are published in the following places:
- Security advisory archive: https://docs.djangoproject.com/en/stable/releases/security/
- Release announcements (security and non-security): Django Forum release announcements
- Announce mailing list: django-announce
How to report a vulnerability
Do not send vulnerability reports to a CNA inquiries address. To report a security issue in Django, please follow our security policy and contact the Django Security Team at security@djangoproject.com. See https://www.djangoproject.com/security/ for details on our process, timelines, and embargo handling.
Timelines
Once you’ve submitted an issue via email, you should receive an acknowledgment from a member of the security team within 3 working days. After that, the security team will begin their analysis. Depending on the action to be taken, you may receive followup emails. It can take several weeks before the security team comes to a conclusion. There is no need to chase the security team unless you discover new, relevant information. All reports aim to be resolved within the industry-standard 90 days. Confirmed vulnerabilities with a high severity level will be addressed promptly.
Communication with reporters
If a vulnerability is confirmed, we will share any intended patches with the reporter and ask for confirmation of the fixes. We will also provide the CVE number(s), list the expected date of the corresponding Django security releases, and remind the reporter to keep the information private until the security releases are issued. (Security releases typically happen at a monthly interval.) We will also confirm whether and how the reporter wishes to be credited. If a vulnerability is not confirmed, we will summarize the reasoning. Reports that appear to be unverified AI output will be closed without response. Repeated low-quality submissions may result in a ban from future reporting.
How Django discloses security issues
Approximately one week before public disclosure, we send two notifications: First, we notify django-announce of the date and approximate time of the upcoming security release, as well as the severity of the issues. Second, we notify a list of people and organizations, primarily composed of operating-system vendors and other distributors of Django. Finally, on the day of disclosure, we will take the following steps:
- Apply the relevant patch(es) to Django’s codebase.
- Issue the relevant release(s).
- Post a public entry on the official Django development blog, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).
- Post a notice to the django-announce and oss-security@lists.openwall.com mailing lists that links to the blog post.
How to contact CNA operators
For general questions about the DSF CNA (not for reporting vulnerabilities), email cna@djangoproject.com. We will reply to inquiries related to CNA processes, scope, and CVE record management.
How to modify or dispute a CVE
The DSF CNA will respond to CVE modifications and disputes according to CNA rules. If you believe there is an issue with a CVE record assigned by the DSF, please contact the CNA operators at cna@djangoproject.com. Before reaching out, verify that the CVE record was assigned by the DSF CNA.