How to join the Drupal Security Team

The Security Team handbook page has more information about the team.

How do you apply?

Send an email to security@drupal.org. The e-mail should include:

• How many hours you can commit to the team per month.
• A statement that you are willing to keep the confidential issues of the team confidential, and that you have read, agree to, and are willing to sign the Security Team disclosure policy.
• Summarize the team's disclosure policy in your own words: what are the most important parts? how will you follow it?
• Any relevant experience you have working on security issues. This should include at least 5 issues you have worked on that are public security improvements in core. If you want to work on more, see the open issues.
• At least 30 issues you have worked on in public for Drupal core or the 30 most-used contributed modules. Please include a link to each issue.
• Whether you already have the "git vetted user role" (also known as opting into security releases).
• At least 5 private security issues you have contributed to. These can be issues you've reported or issues in modules you maintain.
• The kinds of work you'd like to do as a member of the Security Team.
• The names of any Security Team members who can vouch for you.
• Your favorite vulnerability and why.

New applicant review process

1. An email is received from an applicant
2. At least two security team members validate the application and no security team members raise concerns about them joining. This can take up to 3 weeks.
3. The person is invited to help on specific issues in a provisional team member role to prove their commitment and appropriateness to joining the team.
4. After some period of time being active on individual issues and proving to be trustworthy, the person is added to the team

We usually take 3-5 weeks to review new applicants. If you don't hear back after about 3 weeks, please send us a reminder email.

Improve Drupal's security from outside the team

Before you apply or if you are not accepted at first, there are still many things you can do to improve the security of Drupal.

In most cases, people are not accepted because the current team members don't know the applicant well enough. There are a few great ways to solve that problem. As you do these things, please keep links to comments and node revisions that show your work for a future mail to the team showing your work:

• Do reviews of contributed project applications with a particular focus on security. If you find a security issue, be sure to tag the application issue with "PAreview: Security".
• Review the Security Team handbooks and look for places where the documentation could be improved. Make those changes (if you can't due to a filter permissions problem, file a documentation issue suggesting the change).
• Work on issues tagged with security improvements.
• Attend a DrupalCamp or DrupalCon and talk with any Security Team members in attendance. Ask them questions about their experience and talk about your interests related to security.