Django's now part of Google's Security Patch Reward program
I'm pleased to announce that Django's now part of Google's Security Patch Rewards Program. This program's designed to reward proactive security improvements in open-source projects -- projects like Chrome, Android, Apache, OpenSSH, ... and now web frameworks, including Django!
This isn't a bug bounty program; it's specifically about rewarding patches that have lead to a significant proactive improvement in security. For frameworks like Django that could include things like substantial improvements to the framework's XSS or CSRF protection, patches that increase the default security profile of new applications, systemic fixes for common security issues, etc.
To be eligible, patches must actually ship -- i.e. get merged into Django, and then shipped as part of a release. That's a fairly substantial bar, but the rewards are similarly substantial: up to $10,000 for high-impact improvements.
The Django team takes application security very seriously, and we hope that participating in this program will help motivate developers to work with us to increase our security profile even more.
For more details on the program, including what sorts of things are eligible, and how to claim a reward, see the Security Patch Rewards Program page. And for more information about working on Django's code, see our Contributing to Django documentation.
General notes regarding security reporting
As always, we ask that security vulnerabilities be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.
Happy (secure) coding!