What to expect from the review process

Last updated on
4 February 2023

First and foremost it is strongly recommended that you review other applications according to Review bonus.

Reviewers will basically follow the pattern described in Application checklist.

Application Workflow

For detailed information on what to expect during the process, applicants are encouraged to read through the reviewer documentation section of this handbook. For the sake of convenience, the workflow steps are repeated below.

  1. Users submit their application to the Drupal.org security advisory coverage applications issue queue, complete with a link to the project which will contain the module or theme code.
  2. When the applicants have fully prepared the code and the supporting materials, they should change the status of the issue to Needs review.
  3. Other users will then review the code.
    If any issues are found:
    The reviewers will leave a comment in the issue thread, identifying the issue (and preferably explaining what needs to be done to address it), and set the issue status to Needs work.
    The applicants should make the appropriate changes to the project (or answer any questions that are asked), and change the issue status back to Needs review.
    The reviewers will validate the changes/response, and repeat the process if they identify any new issue and/or question.
    Once all issues have been addressed:
    The reviewers will change the status of the issue to Reviewed & tested by the community
    After that, a git administrator will validate the review, granting the applicants the vetted role, and changing the status of the application to Fixed. If new issues are identified, the status will set back to Needs work.

Application Review Timelines

Unfortunately, the application queue does occasionally experience a large backlog, and applications may sit in the queue up to a year before getting reviewed. You can avoid that by taking part in the review bonus program. In the event that your application has held a status of needs review for a certain length of time, applicants or reviewers may elevate the priority of the application. Once a reviewer has responded according to Application workflow and the application review process proceeds the application priority should return to normal.

The application priority is changed basing on how much time the application has been waiting for a review, or has been waiting in the Needs work or Postponed status .

  • The starting priority for all the applications is Normal. Applications with elevated priorities should be returned to normal priority once the code has reviewed.
  • The priority of applications that have been waiting for a review for more than three weeks is changed to Major.
  • The priority of applications that have been waiting for a review for more than eight weeks is changed to Critical.
  • The priority of applications that have been in Needs work or Postponed for more than five weeks is changed to Minor. Once the status is changed to Needs review, the priority is changed back to Normal, after one week.

To get a sense of the current application backlog, check the date on the oldest application in the queue with Needs review status.

While you wait, consider joining the Code review for security advisory coverage applications group to contribute a few reviews of your own. Providing a solid review of other users' work can help demonstrate your understanding of the code review principles, and some reviewers may be willing to help fast-track your own application when they witness you contributing to the code review effort.
A few resources, shortcuts, and templates for volunteers doing code review are maintained over in that group wiki.

Help improve this page

Page status: No known problems

You can: