We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.x | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
- Email: [email protected] (monitored by maintainers)
Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial response: Within 48 hours
- Status updates: Every 72 hours until resolved
- Fix timeline: Critical issues within 7 days, others within 30 days
- Credit: Security researchers will be credited in release notes (unless you prefer to remain anonymous)
Django Keel generates projects with security best practices by default:
- ✅ Django's
check --deployruns in CI - ✅ HSTS, secure cookies, CSP headers enabled in production
- ✅ Dependencies scanned with
pip-auditandsafety - ✅ Container images scanned with Trivy
- ✅ No secrets in repository (environment-based config)
- ✅ SOPS for encrypted secrets (optional)
For enhanced security, use security_profile: strict when generating your project.
When we receive a security report:
- We confirm the vulnerability and determine severity
- We develop and test a fix
- We release a patch version
- We publicly disclose the vulnerability 7 days after the patch release
We recognize and thank security researchers who help keep Django Keel secure.
No security reports yet - be the first!
Thank you for helping keep Django Keel and our community safe! 🛡️