Django is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you’ve found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.

The Fine Print

==========

• Responsibly disclose a previously unknown vulnerability using the HackerOne platform, or directly to us while following our guidelines for reporting security issues

• The vulnerability must significantly compromise the security of a typical Django installation.

• Low priority vulnerabilities, such as Denial of Service attacks, are unlikely to qualify.

• Vulnerabilities in dependencies may qualify only if they are exploitable in the context of a typical Django installation.

• You should install Django on a server you own and test locally. Testing against a server without permission is grounds for disqualification. For help, see our Getting Started Guide

• We maintain a detailed archive of security issues to provide examples of the type of issues we’re interested in learning about.

• If you’re also a developer, you can optionally send us a patch for the issue. If we end up accepting your patch, we may add an extra bonus to your bounty depending on the complexity and completeness of the patch.

YOU MAY NOT TEST AGAINST SERVERS YOU DO NOT HAVE EXPLICIT PERMISSION TO TEST. YOU DO NOT HAVE PERMISSION TO SCAN THE DJANGOPROJECT.COM SERVERS.

IF YOU TEST AGAINST THE DJANGOPROJECT.COM SERVERS, YOU WILL NOT BE REWARDED ANY BOUNTY.

Bounty

===========

The Django team reserves the right to make the final call on the severity for any issue, but to give you an idea of our priorities, here are some rough ranges, and the types of issues we expect would fall into each range:

Severe issues

• Remote code execution

• SQL injection

Moderate issues

• XSS

• CSRF

• Broken authentication

Low severity issues

• Sensitive data exposure

• Broken session management

• Unvalidated redirects/forwards

• Issues requiring an uncommon configuration option

No Reward

• Any behavior which is clearly documented

• Any behavior which is the result of deliberate misconfiguration

• Issues in third-party libraries (please report issues directly to the maintainers)

• Issues discovered while scanning without permission

• The OPTIONS header

The Internet Bug Bounty awards security research on Django. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to the Django Software Foundation (https://www.djangoproject.com/foundation/) to continue to support the vulnerability remediation efforts.

To submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions after the project maintainers have resolved the vulnerability.

The project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.