Security team procedures

This section of the handbook details the procedures for security team members. If that is not you, you can safely skip this section of the documentation.

Security team members provide help in several ways. This list is in the order of priority to the team.

  1. Coordinating with security researchers who deliver reports, project maintainers responsible for fixing security issues, and our own internal process for creating an announcement.
  2. Providing advice to project maintainers as they work through security issues.
  3. Educating the Drupal community on security topics to improve the overall security stance of the project.
  4. Identifying vulnerabilities and making enhancements related to security in core and contributed projects.

Adding new members to the security team

What criteria should we use to evaluate new members?

Common Tasks for security team members

In no particular order:

Creating a Drupal core security release

Refer to the instructions for rolling a new core release.

Drupal Security Team Disclosure Policy for Security Team Members

The offical version of this policy is here:

HOWTO invite a maintainer to participate in the issue

In order to let maintainers post directly into an issue on, open the "access control" fieldset under the comment

How a Security Issue goes from Initial Report to Security Advisory.

Process for Security Team new issue reports and Security Advisory publication.

Marking a project as unsupported for security reasons

If a project maintainer is not responsive to fixing an issue after multiple attempts to contact them via e-mail, IRC, Skype, and/or phone,

Security Issue Release process


Security Team IRC channel

Everyone on the security team has been granted access to join the restricted #drupal-security channel on freenode IRC.

Guide maintainers