If you discover a security vulnerability in djust, please do not open a public GitHub issue. Instead, report it by emailing:
Please include:
- A description of the vulnerability
- Steps to reproduce it
- Potential impact
- Any suggested fixes (optional)
We will acknowledge your report within 48 hours and work with you to understand and resolve the issue promptly. We aim to release a patch within 30 days of disclosure for critical vulnerabilities.
Security patches are applied to the latest stable release.
| Version | Supported |
|---|---|
| Latest | ✓ |
| Older | No |
Security patches are released as patch versions and announced in CHANGELOG.md. Critical patches are also noted in the GitHub release.
The following are in scope for security reports:
- Remote code execution
- Authentication or authorization bypass
- Cross-site scripting (XSS) or injection vulnerabilities in the framework
- CSRF bypass in djust-provided utilities
- Sensitive data exposure from framework internals
The following are out of scope:
- Security issues in example apps or demo code
- Issues in dependencies (report upstream)
- Theoretical vulnerabilities without a proof of concept