EDIT: I described the link as 'first' in the Google results, but that was because Google was being helpful and promoting a page I've visited a lot before... In reality, it's a few links down.
I've never really looked at Django's site before, picked 'community' on the upper right, and it says
> Report potential security issues in Django via private email to
> security@djangoproject.com, and not via Django's Trac instance or the
> django-developers mailing list
The community page (where all the mailing lists and contact addresses are listed) say:
>Report potential security issues in Django via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers mailing list
How hard did you try? Django uses the industry standard security@ address for reporting security issues.
A quick googling results in this page pretty easily: https://docs.djangoproject.com/en/1.5/internals/security/
EDIT: I described the link as 'first' in the Google results, but that was because Google was being helpful and promoting a page I've visited a lot before... In reality, it's a few links down.