Goals of the security team
- Resolve reported security issues in a Security Advisory
- Provide assistance for contributed module maintainers in resolving security issues
- Provide documentation on how to write secure code
- Provide documentation on securing your site
- Help the infrastructure team to keep the drupal.org infrastructure secure
Members of the security team sometimes perform analysis of core or contributed project code, especially if there is a weakness that can be found by easy scanning, but in general the team does not review core nor contributed code.
How to report a security issue
If you discover or learn about a potential error, weakness or threat that could compromise the security of Drupal, we ask you to keep it confidential and submit your concern to the Drupal security team.
How the team resolves reported security issues
- Review the issue and evaluate the potential impact on all supported releases of Drupal.
- If it is indeed a valid problem, the security team mobilizes the maintainer to eliminate it (whether for core or contrib).
- New versions are created, reviewed, and tested.
- New releases are created on Drupal.org.
- When an issue has been fixed, we use all available communication channels to inform users of steps that must be taken to protect themselves.
- If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is marked as unsupported.
Security announcement and release process
Providing security requires more than simply posting a patch to Drupal.org. Hundreds of thousands of people rely on the Drupal security team to notify them of known vulnerabilities. The security team coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance. The security team works with Drupal core and module maintainers.
If you are concerned with the response time or handling of a security issue, ask email@example.com. You may publicly discuss the policy, but not the details of any non-disclosed issue.
There are three pages listing past security announcements:
The security team follows a Responsible Disclosure policy: we keep issues private until there is a fix OR until it becomes apparent that the maintainer is not addressing the issue in a timely manner. Public announcements are made when the threat has been addressed and a secure version is available. When reporting a security issue, observe the same policy. Do not share your knowledge of security issues with others.
- Only the current and one previous version of Drupal are actively supported, currently 8.x, 7.x and 6.x. Upgrade if you are using an unsupported version of Drupal.
- The development branch of Drupal is not intended for production use. Security problems are fixed, but security announcements are not issued. Update your code regularly.
A detailed description of this process our policy on which releases get advisories.
Because membership in the team gives the individual access to potentially destructive information, membership is limited to people who have a proven track record in the Drupal community. Many ways of helping the team don't require access to that confidential information:
- The most important help you can provide is reviewing proposed patches in the drupal.org issue queue with a security mindset.
- Report any issues you find and work with the team on a fix.
- Develop trust by meeting current security team members at real-world events
- Discuss security best practices
- Help out in the public issue queue
- Do Project Application Reviews - these often have security issues and finding them early prevents them from being the responsibility of the security team and is great practice for the work of the security team.
Team members are expected to work at least a few hours every month. Exceptions to that can be made for short periods to accommodate other priorities, but people who can't maintain some level of involvement will be asked to reconsider their membership on the team.
Security team members
The current list of security team members can be viewed on the Security team site.