Adding new members to the security team
Explains how members are added and the specific places to modify access
Common tasks for Security Team members
In no particular order:
Creating a Drupal core security release
Refer to the instructions for rolling a new core release.
Disclosure of usernames and user IDs is not considered a weakness
The Drupal Security Team does not consider it a vulnerability that there are ways to determine a registered members username and/or user ID.
Drupal Security Team Disclosure Policy for Security Team Members
The offical version of this policy is here: http://cgit.drupalcode.org/securitydrupalorg/tree/policies/disclosure.txt
Security Team expectations for employers
Simple explanations for employers regarding what to expect when an employee is on the Security Team
How to invite a maintainer to participate in the issue
In order to let maintainers post directly into an issue on security.drupal.org, use the "Add/update project maintainers" checkbox.
How a Security Issue goes from Initial Report to Security Advisory.
Process for Security Team new issue reports and Security Advisory publication.
Making a public issue for security.drupal.org issues with status "Needs public followup"
Process for creating public issues after Security Team has agreed on making a public version of the issue.
Marking a project as unsupported for security reasons
If a project maintainer is not responsive to fixing an issue after multiple attempts to contact them via e-mail, IRC, Skype, and/or phone,
Security issue release process
Schedule
Security Team chat channels (IRC and Slack)
Everyone on the security team has been granted access to join the restricted #drupal-security channel on freenode IRC.
Security Team member triage duty
Security Team member triage duty
Security Team message templates
Security Team message templates
- Automated reply sent by security.drupal.org automatically
- Declined member application - encourage to make more contributions
- Email to a maintainer who has created a release tagged security update that is not related to an issue on s.d.o
- Email to issue reporter inviting them to view the issue on security.drupal.org
- Invite reporter to submit an issue to the tracker directly
- Inviting a Security Team applicant to assist with an issue
- Issue assignment template
- Issue unpublished on drupal.org
- Letting a maintainer know that we plan to unsupport their module
- Message to contrib maintainer asking for review
- Message to contrib maintainer who hasn't responded to our report
- Message to reporter who hasn't responded
- Removing a person's ability to opt projects into security coverage
- Reply to request for support including hacked sites
- Reporting a file uploaded to a Drupal.org issue
- Request for information about an upcomming release.
- Responding to an inquiry if we have a bounty
- Using the private tracker to report a bug or feature request
- Vulnerability which can be fixed publicly because it requires an advanced permission
- Vulnerability which is only present in a non-stable release
- Welcome as provisional security team member to onboarding process
Security issues on git.drupalcode.org
security.drupal.org is being replaced with confidential issues on git.drupalcode.org
