Djangocon EU: Oh, I found a security issue - Markus Holtermann

Tags: django, djangocon

(One of my summaries of the 2026 Djangocon EU in Athens).

Markus is member of the Django security team. The important document is https://docs.djangoproject.com/en/dev/internals/security/ , how to report security issues, how the security team will evaluate it, which versions will include a fix (if needed) and how it gets disclosed.

  • If you think you found an issue? Mail it to security@djangoproject.com. Don’t start off writing lots of text, just provide a brief description and how to reproduce it. A fix is even better.

    And: don’t report issues that are corner cases that go against normal web development and regular Django practice. If you take unfiltered, unvalidated user input and manage to do code injection: well, don’t do that :-)

  • The security team triages the issue. If it is valid, they try to fix it. And if there’s a fix, they check it with the original reporter. Such development doesn’t happen in public, of course.

  • If there’s a fix, they assign the issue a CVE number. Since last year, the Django project is its own (and only) CVE assigner. And they prepare the various Django version releases beforehand.

  • Then the problem + the releases with the fixes are announced. Mailinglist, news entry.

What to do for your own project: set up some reporting channel. Your own email address is probably fine. Monitor for issues (but you don’t need to reply 24h a day :-) ). Check fixes with the reporter.

Let’s look at Django’s CVEs. Nowadays, there are about 10-15 CVEs per year. Common ones:

  • DoS (denial of service) attack possibilities.

  • SQL injection. It is a web framework.

  • Cross site scripting.

  • Information disclosure.

Most security reports used to be valid. But since LLMs became popular, the quality dropped dramatically. This year, until now, around 60% is invalid. But you need to triage them anyway as security team.

The invalid reports are for instance fabricating code. Or using unvalidated user input to trigger some problem. Or they mention bugs in code that does not even exist in Django. Or they call private methods (which are out of scope).

Some measures:

  • Overly long reports aren’t even looked at. As you need to precise and consise. This already filters out many AI submissions.

  • Only one report per person at the same time is allowed.

https://reinout.vanrees.org/images/2026/ottbergen2.jpeg

Unrelated photo explanation: a recent trip to the “Modellbundesbahn” in Germany. The famous railway viaduct of Altenbeken.