DDEV is the official local development tool of Drupal. And like Drupal, DDEV depends on the support of the open source community.On this page
- How does Drupal Steward work?
- Drupal Steward Procedure
- What does Drupal Steward cost?
- Why isn't Drupal Steward free?
- What about vulnerabilities that aren't "highly critical"? Or vulnerabilities in contributed modules rather than core?
- How does Drupal Steward support the Security Team?
- How do I sign up?
- How are organizational partners for the Drupal Steward program chosen?
- My organization would like to become a Drupal Steward partner
- How can I stay connected and ask questions?
FAQ
Looking for more information about the Drupal Steward program? This page answers common questions.
How does Drupal Steward work?
Drupal Steward is offered in a few forms:
- The Drupal Steward Community tier offers protection directly to site owners through the Drupal Association.
- The Drupal Steward Partner tier will offer a channel for qualifying Supporting Partners to enroll their clients.
- The Drupal Steward Platform tier partners with the largest Drupal hosting providers in the ecosystem, so they can protect their clients directly. Our Founding Platform partners at this level are Acquia and Pantheon
From a technical point of view, Drupal site owners will route traffic through a network application, either operated by the Drupal Association or a Platform partner. This network application will be populated with a security filter that prevents any identified highly critical vulnerabilities from being exploited, giving the site owner time to deploy the security update at their leisure. Site owners will not have direct access to the vulnerability information, or its mitigation strategy, to prevent it from being leaked.
From a procedural point of view:
Drupal Steward Procedure
Step 1
Security team identifies a reported vulnerability as highly critical/mass exploitable.
Step 2
Security team determines whether the vulnerability can be mitigated on the network level.
Step 3
Security team releases a PSA, which indicates if Drupal Steward will protect this release or not.
Step 4
The Drupal Steward protection rules are implemented by the Drupal Association and Platform partners, in monitor only mode to check for false positives.
Step 5
The security team and partners will review monitor-only mode logs, and make refinements to the rules.
Step 6
Prior to disclosure of the vulnerability and patch release, the security rules will be switched to enforcing mode, mitigating the vulnerability.
What does Drupal Steward cost?
We've worked very hard to supplement our pricing so that Drupal Steward is affordable to as many site owners as possible. Drupal Steward scales to the number of requests you receive, so check out the calculator on drupalsteward.org to estimate your pricing.
Signing up for the service is as simple as creating an account on drupalsteward.org, adding your domain names to be covered, and updating your DNS settings to route requests through the Drupal Steward service.
Why isn't Drupal Steward free?
Code is and always will be free in the Drupal project, but a service by its nature is not.
Drupal Steward requires a globally distributed infrastructure to ensure that the security layer doesn't increase latency and degrade the experience of users anywhere in the world. This has an inherent cost we must cover, and in addition, we want to help fund the largely volunteer Drupal Security Team, as well as Drupal Association programs.
What about vulnerabilities that aren't "highly critical"? Or vulnerabilities in contributed modules rather than core?
The primary strength of this network-level mitigation strategy is in protecting against mass-exploitable vulnerabilities, which are the kind that are most likely to receive the "highly-critical" designation. For vulnerabilities of lesser criticality or those that are found in contributed modules, it will depend on the nature of the vulnerability and the discretion of the Security Working Group whether they can or should be covered by the program as well.
How does Drupal Steward support the Security Team?
Funding from the Drupal Steward Founding Partners has enabled the Drupal Association and the Drupal Security team to build out the Community tier to serve the broader base of Drupal sites of all sizes. Proceeds from the ongoing program will support specific initiatives from the Drupal Association and the Drupal Security team to further enhance the security of Drupal - including the initiative to bring Automatic Updates to Drupal core.
How do I sign up?
Enrollment in the Drupal Steward Community tier is open now.
If you are a customer of Acquia or Pantheon, or are considering becoming a partner, your Drupal Steward protection will be handled through the partner:
Contact Acquia Contact Pantheon
How are organizational partners for the Drupal Steward program chosen?
Both the Platform and Partner tiers of the Drupal Steward program have defined requirements. At the Platform tier, partners need to cover a minimum number of Drupal sites, and have a history and commitment to ongoing contribution to the Drupal community. We spoke to several potential partners in the time since our original blog post announcing the program, and were ultimately able to launch with two founding partners at this level. At the Partner level, we are using the seed funding that the Platform tier allows to launch the Drupal Association operated network application, and will be reaching out to supporting partners with details of how to join the program at this level.
We are happy to speak to additional organizations who are interested in either the Platform or Partner tiers.
My organization would like to become a Drupal Steward partner
If you're interested in becoming a Drupal Steward partner at either the Platform or Supporting Partner level, please send us a message.
How can I stay connected and ask questions?
Feel free to join us in the #drupalsteward channel on the public Drupal Slack.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
