Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Marking a project as unsupported for security reasons
If project maintainers are not responsive to fixing an issue after multiple attempts to contact them via e-mail, Slack, Drupal.org contact form or other means, then we may need to "unsupport" a project.
When we unsupport a project there are several steps to take:
- If the module meets general requirements for an SA then it should get an SA following the normal process. The risk score in the advisory should be
Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Allregardless of the nature of the issue evaluated in the original report. When an issue gets fully researched and fixed in private new revelations are often made that might increase the risk score. With incomplete information we publish with a relatively high score as a reasonable estimate.
Note: we generally omit the "reported by", "fixed by" and "coordinated by" information from these Security Advisories, since this information can cause the people mentioned to be contacted directly with requests for information. People can opt-in to be mentioned in those section if they wish. - Edit the project node
- Go to the releases tab and mark the insecure releases/branches as unsupported and uncheck “Supported". This will remove the supported release block from the project page.
- Edit the project node to be "Full HTML" input format and add a warning like the text below.
- Under "Maintenance status", select "Unsupported"
- Under "Development status", select "No further development"
- Under "Security Advisories", select "Unsupported due to security issue"
- Change the author of the project to the Unsupported Projects user.
- Remove all maintainers from the module.
- Edit all release nodes, and mark each of them as "Insecure". Paste the SA in the revision log field.
Warning-text to be added at the top of unsupported projects:
<div class="error">
This module is unsupported due to a security issue the maintainer didn’t fix.
If you want to use this module, your options are:
<ul>
<li>Choose another, actively maintained module instead</li>
<li>Following the <a href="https://www.drupal.org/node/251466">unsupported project process</a>.</li>
<li>Hire someone to fix the security bug so the module can be re-published and supported (Consider hiring companies listed in the <a href="https://www.drupal.org/drupal-services/Security-reviews">Marketplace</a>)</li>
</ul>
</div>
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
