Drupal Security Team

Goals of the security team

  • Resolve reported security issues in a Security Advisory
  • Provide assistance for contributed module maintainers in resolving security issues
  • Provide documentation on how to write secure code
  • Provide documentation on securing your site
  • Help the infrastructure team to keep the drupal.org infrastructure secure

How to report a security issue

If you discover or learn about a potential error, weakness, or threat that can compromise the security of Drupal, we ask you to keep it confidential and submit your concern to the Drupal security team.

General information

Security team

CVE assignment

How we assign CVE's

Contacted by the security team. Now what?

This page explains a series of steps maintainers need to follow when security issues are reported to the Drupal Security Team

Protecting against HTTP HOST Header attacks (prevent your site from thinking it is someone else)

Drupal 7 added a new feature into core that is not user facing directly, but is sometimes called poor man's cron. The feature triggers the

Security advisory process and permissions policy

What is a Security Advisory?

Security risk levels defined

The following information explains how the criticality levels as a general guideline for determining security risk levels.

Security track record

Composed of a set of respected community volunteers, and one of the first dedicated Security Teams in an open source CMS project, the Drupal

Your Drupal site got hacked. Now what?

This information is useful should your Drupal site get compromised. Please report any details to the security team at security@drupal.org.

Drupal 6 Long Term Support

At this point we are no longer accepting new D6 LTS vendors applications

How to Join the Drupal Security Team

How to Join the Drupal Security team

Security team procedures

Security team procedures

Guide maintainers