How to Join the Drupal Security Team

Last updated on
13 April 2017

The Security Team handbook page has more information about the team.

How do you apply?

Please send an email to security@drupal.org. The e-mail should state:

  • Confirm you have the "git vetted user role"/opt into security releases
  • Provide a list of public issues you have worked on that enhance security or harden security in Drupal
  • How many hours you can commit to the team per month
  • State that you are willing to keep the confidential issues of the team confidential and that you have read https://www.drupal.org/node/2544896
  • List any relevant experience you have working on security issues. (This should include at least 5 issues you have worked on in public or private)
  • List the kinds of work you'd like to do
  • Have you met any security team members who can vouch for you, if so include their names
  • Your favorite vulnerability and why

New Applicant Review process

  1. An email is received from an applicant
  2. At least 2 people vouch for the person and nobody has reasons against them joining .
  3. We wait about 2 weeks for feedback from other team members
  4. The person is invited to help on specific issues in a provisional team member role to prove their commitment and appropriateness to joining the team
  5. After some period of time being active on individual issues and proving to be trustworthy, the person is added to the team

We usually take 3 weeks to review new applicants. If you don't hear back in 3 weeks and 1 day, please send us a reminder email.

Improve Drupal's security from outside the team

Before you apply or if you are not accepted at first, there are still many things you can do to improve the security of Drupal.

In most cases, people are not accepted because the current team members don't know the applicant well enough. There are a few great ways to solve that problem. As you do these things, please keep links to comments and node revisions that show your work for a future mail to the team showing your work:

  • Do reviews of Project applications with a particular focus on security. If you find a security issue, be sure to tag the applicaiton issue with "Pareview: Security".
  • Review the handbooks under security team and look for places where the documentation could be improved. Make those changes (if you can't due to a filter permissions problem, file a documentation issue suggesting the change).
  • Work on issues tagged with security improvements
  • Attend a Drupalcamp or Drupalcon and talk with any security team members in attendance - ask them questions about their experience and talk about your interests related to security