Home » Getting Started » The Features, Mission, and Principles of the Drupal Project » Drupal Project » Security team

HOWTO: Report a security issue

Contact the security team

If you discover a vulnerability in Drupal core or in a contributed module, please keep it confidential. Do not post it in the issue tracker but mail us at security@drupal.org. We will investigate your report and create a fix or, when the issue is about a contributed module, ask a module maintainer to do so. When this fix is ready, we'll publish an advisory, urging users to upgrade.

Some bugs take a while to correct, mainly because we need to review the codebase for similar problems.

We kindly ask you to not disclose the vulnerability to anyone before the advisory is issued.

A good report

Please provide us with a detailed report. As a minimum we need:

  • Drupal version or module version.
  • CVS Id for modules that were available/downloaded prior to the new release system.
  • Steps to reproduce.

Credit

If you report a previously unknown vulnerability to the Drupal security team, you will be credited in the security announcement.

‹ Security teamupMy Site Was Defaced ("hacked"), What Should I do Now? ›
» Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.