Security track record

Last updated on
30 March 2017

Composed of a set of respected community volunteers, and one of the first dedicated Security Teams in an open source CMS project, the Drupal Security Team works to resolve reported security issues for code hosted on, to review code for vulnerabilities, and to provide security expertise and assistance to contributors.

The Drupal community has an excellent track record of finding and fixing vulnerabilities in community-created code.

The number of security advisories shows consistent and reliable activity within the code contributors and the security team who guides the process of fixing and releasing security patches. Some interpret these numbers and say "a large number of vulnerabilities must mean insecure code." That analysis ignores the reality that all code has bugs (including security bugs) and the most important thing is an active group of coders and researchers finding and fixing bugs.

Number of Security Advisories for Drupal core and contributed projects per year
Year Core Contributed
2017 (YTD) 0 2
2016 5 63
2015 4 175
2014 6 128
2013 3 98
2012 4 174
2011 3 59
2010 2 98
2009 8 115
2008 11 64
2007 11 21
2006 12 21
2005 7 2

Security Team Presentations

The security team is usually well represented at Drupalcons and camps, to raise awareness and share tips on making sites more secure.

Security presentation at Drupalcon Barcelona 2015 (includes video)

Security presentation at Drupalcon Amsterdam 2014 (includes video)

Security presentation at Drupalcamp Vienna 2013 for coders (YoutTube Video)

Security presentation at Copenhagen 2010 for coders and themers

Security presentation at San Francisco 2010 for site administrators (includes video)

Security presentation at San Francisco for coders and themers (includes video)

Additional information