Django is now a CVE Numbering Authority (CNA)

We’re proud to announce the Django Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA)! 

What it means for Django to be a CNA

Our security team deals with vulnerability reports on a daily basis, and every so often some turn out to be real vulnerabilities for us to fix and publish. CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. As a CNA, we are more autonomous through this process. For full details, see our scope on the new CVE Numbering Authority page.

How to report a vulnerability

For reporters, our process remains completely unchanged: to report a security issue in Django, please follow our security policies to report over email at security@djangoproject.com.

How our CNA operates

Our CNA is currently run within our existing security team, with support from the foundation’s President and Vice President. Day to day, the Django Fellows take care of CNA activities. Check our CNA page for more information and ways to contact us about CNA matters.

—

Thank you to Natalia Bidart for initiating our application process to become a CNA! And if you have feedback or questions, come say hi on the Django forum in Django as a CNA.