Django as a CNA

Django Internals
1

:waving_hand: we’re in the process of registering Django as a CVE Numbering Authority, so we can be more autonomous and efficient when processing security vulnerabilities in Django. And possibly Django packages in the future.

This has been in discussions internally for about a year now, and we’re now at a point where this is very likely to happen in the next few months, currently with @nessita leading and support from our Security team. So I thought it was time for a forum thread. This is a highly technical topic, opening this for transparency, and so we can get support from other people with CNA experience.

What it means to be a CNA

Django’s security team deals with security vulnerability reports on a daily basis, and out of those there’s one a month (give or take) with a real vulnerability for us to fix and publish. We currently work with MITRE to do this. Becoming a CNA, we could be more autonomous, and also do this same work but faster. It’s an investment in process that has the potential to fit well within what Django does already.

This is also something that we could do for Django packages, though we’re not considering this at this time.

For Django

In short it’s a change to security team processes, and the setup of a new ““CNA team””, which will likely be a combination of Fellows, security team members, DSF Board members.

This could be a fundraising opportunity, if we were able to create a “security developer-in-residence”-style sponsorship.

How you can get involved

I think it’s important we open those threads for transparency even if only a few people are able to contribute. But we could definitely use help if:

  • You know about CNAs and you know Django. You could provide us feedback based on our internal plans. Please let us know if you’re interested.
  • You know about funding of security / sustainability programs in open source. We could use help with that.

There’s also connections with our CRA work and to some extent CLA vs. DCO discussions here too, as those are all maturity / process changes that require a good amount of legal x technical expertise. If you’re in that space, we need you!

2 Likes
2

It’s official, we made it! :partying_face: Django is now a CVE Numbering Authority (CNA).

Thank you @nessita and @jacobtylerwalls who got up to speed with the CNA processes behind the scenes, coordinating with MITRE. We got excellent validation from MITRE along the way that our vulnerability management processes already are really good, which is a testament to the long-term efforts by our security team and contributor!

We still have some setup to do behind the scenes but it’s shaping up great! :raised_hands:

5 Likes