Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.On this page
Security Team member triage duty
Last updated on
12 March 2026
Every two weeks one member is assigned to handle a few duties:
- Review all emails that we receive from non-team members. This process should mostly not be necessary now that people can create and follow up to issues directly on s.d.o. However, not everyone does that, so we still assign people to cover duty and in case there is an email that fits into the below process, please take the appropriate actions.
- Review the issue queue of "needs triage" issues. Verify any new issues, add maintainers if appropriate or ask followup questions to the reporter. If you have a question for the team add that and move the issue to "needs team response."
- Review any new comments on all issues in the queue and see what you can do to move them forward. If it's not something you can address that's ok, this is a lower priority.
- Update new issues that have not been assigned projects. Update the title prefix like
token: {Rest of title}with the project machine name. Automation will move the issue when the project machine name is correct. (This is temporary until all issues are in git.drupalcode.org.) - Review issues that are labeled unvalidated, needs attention, or needs security team response:
- Unvalidated issues need triaging to determine if the report is a valid issue that might get an advisory. Either label as validated, reject with an explanation, or ask the reporter/maintainers for more information.
- Needs attention issues have been dormant and need an update based on their labels.
- Needs security team response signals that a security team member can answer a question.
The current team process outside of the list signup is on Drupal.org: https://www.drupal.org/node/1751076
Process
What is the report about?
- Responses from module maintainers -> ask them to get involved in the queue directly
- Responses from issue reporters -> ask them to get involved in the queue directly
- Reports on potential security vulnerabilities -> follow the process
Security team coordinators
- Review Issues by follow-up date. Perform triage for old issues that are not making progress and notify maintainers that we will be unpublishing releases.
- Assign unassigned issues to security team members.
Help improve this page
Page status: No known problems
You can:
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
