Django Software Foundation Achieves CVE Numbering Authority Status
The Django Software Foundation (DSF) has become a CVE Numbering Authority (CNA), allowing it to assign CVE IDs directly for vulnerabilities in Django and select ecosystem projects. This change streamlines the advisory process, reduces administrative delays, and enhances independence in handling security incidents. While most users will notice no immediate difference, this move signifies a maturation of Django's security practices. The process, involving documentation, training, and approval from MITRE, took approximately four months.
- →Impact on Django Users and Contributors
- →Process of Becoming a CNA
- →Scope of the CNA
- →Lessons Learned for Other Projects
Notes (4) ›
- Impact on Django Users and Contributors
For most Django users and contributors, the process for reporting vulnerabilities, coordinating fixes, and publishing security releases will remain the same. The key difference is the DSF's direct assignment of CVE IDs.
- Process of Becoming a CNA
The application process involved internal evaluations, updating the Django Security Policy, mapping existing workflows to MITRE's CNA rules, and completing MITRE's training and exercises. This formalizes Django's long-standing security practices.
- Scope of the CNA
The DSF's CNA status covers Django itself and a small, defined set of related ecosystem projects, with clear procedures for handling vulnerability reports and CVE assignments.
- Lessons Learned for Other Projects
Projects with mature security processes can become CNAs by formalizing existing practices. The documentation and validation steps are time-consuming, and early definition of scope is crucial. The entire process took about four months.
https://www.djangoproject.com/weblog/2026/jun/25/how-the-django-software-foundation-became-a-cna/