That’s clever! Disappointing response from Django if that means they’re not going to fix it… I could understand it being outside the scope of their official vulnerability classification/process/whatever, but it’s still a clear correctness bug.