Reporting a security issue

Last updated on
28 February 2024

If you discover a vulnerability in Drupal core or contributed project (module, theme, or distribution) that is covered by the Security Advisory policy, keep it confidential.

There are two ways to report:

1. Report directly on security.drupal.org (preferred)

  1. Navigate to the project page on drupal.org (Drupal core, a module, or a theme) related to the issue.
  2. In the right sidebar of the project page, click on the "Report a security vulnerability" link. That link will take you to the Security Team's private issue tracker.
  3. Complete the form, which will be immediately incorporated into the Security Team workflow.

2. Send an e-mail

  1. Send an e-mail to security@drupal.org.

Do not post it in the public issue tracker or discuss it in IRC nor Slack. The security team will investigate your report and then work with you and the project maintainer to create a fix. If the issue is about a contributed module, the team will coordinate with a module maintainer. If the fix is ready, we will create a release and announce the fix to a wide audience.

Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming. We aim to fix issues within 1 month, but we also need to balance that with the available time of our volunteer team and the need to release high quality fixes.

Do not disclose the vulnerability to anyone else before the advisory is issued. If progress on fixing the issue stalls and it cannot be fixed in a mutually agreeable time, we will unpublish the releases and create a Security Advisory detailing the problem.

If the vulnerability is not covered by the Security advisory policy, you can still report it by sending an email to security@drupal.org, but it's also acceptable to post it directly to the project issue queue of that project.

A good security bug report #

Provide a detailed report. Include as many of these items as possible:

  • Drupal version and/or module version affected by the issue.`
  • Steps to reproduce the problem starting from a fresh site install.
  • A proposed patch.

Optional: you can indicate the way you would like to be referred to in the advisory about the vulnerability. Our preference is to use full names linked to drupal.org user ids. If you do not specify we will do our best to find that information. You can also request a pseudonym or having your name withheld.

My site was defaced and I don't know how

Please review and add the information requested from My site was defaced ("hacked"). Now what?. The Drupal Security Team is unlikely to be able to assist in finding the root problem or helping to restore your site, but is always interested in these reports.

Credit and Coordinated Disclosure

If you follow this process to report a previously unknown vulnerability to the Drupal security team, you will be credited in the security announcement with your name and a link to your Drupal.org profile. Note: Individuals who choose to disclose the vulnerability publicly before coordinated release of fixed code will not be credited in the Security Advisory.

The Drupal Project has a Hall-Of-Fame style Bug Bounty program, via the above mentioned report credit on Security Advisories. There are also some individual Drupal sites that have paid bug bounties.

What if the vulnerability affects a project that is not covered by the Security Advisory policy?

If you are absolutely sure that the project is not covered by the policy, you can report the issue in the public issue queue of the module. You may also choose to first report it to security.drupal.org by sending an email to security@drupal.org so that the security team and module maintainers can be aware of it in private. It is a considered good form, especially for modules used on drupal.org, to report security issues on security.drupal.org first.

What if the vulnerability affects a project that is not hosted on Drupal.org?

Contact the project author directly. You may also email security@drupal.org to advise the Security Team of the issue, but the Drupal Security Team does not handle security advisories for projects hosted elsewhere.

Tags

Help improve this page

Page status: No known problems

You can: