Wagtail Security team no longer accepts GPG-encrypted emails
You can still report Wagtail security issues via email — just not with GPG.
Wagtail has always and will always take security very seriously. For over 4 years, Wagtail’s security team has received vulnerability reports from the community over email. Those who wish to have had the ability to additionally encrypt their email with GPG, ensuring that no one but the Security team can read the contents.
The technical details of GPG are long and dry, but the short version is that it allows users to communicate securely over email using end-to-end encryption and public-key cryptography. GPG comes from a time where encryption was either absent or incredibly resource intensive. Fast forward 30 years, and the internet is a very different place - encryption is everywhere. The connection between you and your email server, your recipient and their email server, and each email server is already fully encrypted.
Additional security is great, but it often comes at a cost. GPG brings a number of usability issues which make managing it at scale, especially for a geographically-diverse team, incredibly difficult. Email isn’t really used for secure communication anymore, and has fallen out of use with even the most security-conscious users - with some even calling GPG “dead”. In the last 3 years, the Wagtail security team has received exactly 1 email encrypted with GPG. Security reports are already discussed in detail over channels which aren’t end-to-end encrypted, such as Slack and GitHub, so GPG was providing no security benefit and creating an administrative burden.
Therefore, with our most recent key needing renewal, we’ve decided not to. The GPG key for [email protected] expired at the end of January, and it will stay that way.
What to expect?
If you’re not intending to report a security issue in Wagtail, then absolutely nothing - Wagtail’s strong security posture remains as strong as ever, both in the application itself and the processes used to develop it. Security reports are actioned in a secure and timely manner, in line with industry standards
If you’ve found a vulnerability in Wagtail, and wish to report it, you should still use the same channel as you always have: [email protected]. However, now you won’t see our key to GPG encrypt it. GPG is just the loss of end-to-end encryption - emails are still fully encrypted between you and our mail server, and between our mail server and us, and reports are treated with the utmost care. No one but the Security Team has access to the security@ emails.
If you are adamant that your report requires additional security, please let us know using the above email and we’ll do our best to review and accommodate your request.
What’s next?
We hope this change will affect almost no one. The security team is reviewing our use of email for security reports, and considering other alternatives to improve the experience of reporting security issues, and streamline our ability to respond and remediate them in a timely manner.