Security team procedures

This section of the handbook details the procedures for security team members. If that is not you, you can safely skip this section of the documentation.

Security team members provide help in several ways. This list is in the order of priority to the team.

  1. Coordinating with security researchers who deliver reports, project maintainers responsible for fixing security issues, and our own internal process for creating an announcement.
  2. Providing advice to project maintainers as they work through security issues.
  3. Educating the Drupal community on security topics to improve the overall security stance of the project.
  4. Identifying vulnerabilities and making enhancements related to security in core and contributed projects.

Adding new members to the security team

What criteria should we use to evaluate new members?

Common Tasks for security team members

In no particular order:

Creating a Drupal core security release

Refer to the instructions for rolling a new core release.

Disclosure of usernames and user ids is not considered a weakness

The Drupal Security Team does not consider it a vulnerability that there are ways to determine a registered members username and/or user id

Drupal Security Team Disclosure Policy for Security Team Members

The offical version of this policy is here: http://cgit.drupalcode.org/securitydrupalorg/tree/policies/disclosure.txt

HOWTO invite a maintainer to participate in the issue

In order to let maintainers post directly into an issue on security.drupal.org, open the "access control" fieldset under the comment

How a Security Issue goes from Initial Report to Security Advisory.

Process for Security Team new issue reports and Security Advisory publication.

Making a public issue for security.drupal.org issues with status "Needs public issues created"

Process for creating public issues after security team has agreed on making a public version of the issue.

Marking a project as unsupported for security reasons

If a project maintainer is not responsive to fixing an issue after multiple attempts to contact them via e-mail, IRC, Skype, and/or phone,

Security Issue Release process

Schedule

Security Team IRC channel

Everyone on the security team has been granted access to join the restricted #drupal-security channel on freenode IRC.

Security Team message templates

Security Team message templates

Guide maintainers