Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Becoming primary maintainer of a project that is unsupported for security reasons
Last updated on
27 April 2022
If you are interested in becoming the primary maintainer of a Drupal contributed project that is unsupported for security reasons, please follow those steps:
For all the steps below, if realistic, it is suggested to try to resolve the security issue within 30 calendar days after the Security Advisory (SA) is published on Drupal.org marking the project as unsupported. If the security issue is not resolved within this period, the Drupal security team may publish the details publicly. If the security team publishes the details publicly the module will follow the normal unsupported module policy
- If you are interested in becoming the primary maintainer of a Drupal contributed project that is unsupported for security reasons, please first double check that you have the permission to opt into security advisory coverage. This is a requirement for the steps below.
- Look at the source code and see if you can find the issue. Depending on the issue this might be very hard to do. If you can't find a security issue, propose a security hardening to the module's code base. The security team needs to know you are aware of the internals of the module and secure coding best practices.
-
Email security@drupal.org asking for a security team member to confirm that your patch resolves the security issue or provide a patch that is a security hardening. In your email provide the following details:
-
That you agree to maintain the security of the module in the future. You do not have to fix bugs or add features, but you do have to agree to respond to security issues. The security team does not transfer modules for the sake of a one time security fix.
That you have the permission to opt into security advisory coverage role. - Include your patch and describe it.
Any emails that don't include the above may be ignored by the security team.
-
That you agree to maintain the security of the module in the future. You do not have to fix bugs or add features, but you do have to agree to respond to security issues. The security team does not transfer modules for the sake of a one time security fix.
- Once the security team reviews your email they may provide access to the private issue. They will work with you to transfer the module to you as primary maintainer.
- Once the issue is fixed the security team will not issue a second SA for the module, instead the existing SA will be updated to indicate the module is now secure.
Help improve this page
Page status: No known problems
You can:
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
