Request for information about an upcoming release.

Hello,

When the Drupal Security Team publishes a Public Safety Advisory (PSA) in advance of releasing a patch for a highly critical issue, it’s common for individuals, teams, and organizations to ask additional questions. No doubt, these situations can be stressful, and it's in everyone’s best interest to seek any insight they can to ensure they have the greatest chance of success in mitigating any/all issues. While we certainly understand and empathize with these desires, the reality is that even a seemingly benign request to help an individual can result in premature information disclosure. The security team must protect the ecosystem as a whole, spanning over a million active sites spread across each continent and many time zones. Given that, the only fair way to do this is to provide a very specific release window with enough time for developers and operations to schedule and resource for these situations properly.

To that end, we must continue to decline any/all requests for information that are not already conveyed in the PSA itself. This is not only a requirement for membership to the security team (see https://www.drupal.org/drupal-security-team/security-team-procedures/drupal-security-team-disclosure-policy-for-security). It’s also the only responsible way to support the entire Drupal ecosystem as a whole fairly. We thank you in advance for your understanding.

Regards,
[your name] of the Drupal Security Team