project_distribution, project_module, project_theme, project_theme_engine should get a new field for security team coverage with values “Covered”, “Not covered”, “Unsupported due to security issue”
- All current projects with at least one stable D7+ release will be moved to “Covered”
- If there is not a stable release, we will email the maintainer when this is rolled out.
- New projects will default to “Not covered”.
- Only “Git vetted” users can mark their own project, not co-maintainers, “Covered”.
- Once a project is marked “Covered”, it can only be changed by Security team members.
- The field can be changed 10 days after the project has been created.
- A message explaining this on the project page, along with an “not shielded” icon. See
This project is not covered by security advisory policy.
It may have publicly disclosed vulnerabilities. Use at your own risk!
- Update status XML feeds need to include the new status (as a new element so they are backward compatible).
- Update documentation at https://www.drupal.org/security-advisory-policy