If you discover a vulnerability in Drupal core or contributed module, keep it confidential. Mail us at security@drupal.org, do not post in the issue tracker or discuss it in IRC. The security team will investigate your report and work with you and the project maintainer to create a fix. When the issue is about a contributed module, the team coordinates with a module maintainer. When the fix is ready we will create a release and announce the fix to a wide audience.
Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming. We aim for a rapid fix, but balance that with the available time of our volunteer team and the need to release high quality fixes.
Do not disclose the vulnerability to anyone before the advisory is issued.
A good report
Provide us with a detailed report. As a minimum:
- Drupal version and/or module version.
- Steps to reproduce the problem.
My site was defaced and I don't know how
Please review and add the information requested from My site was defaced ("hacked"). Now what?. The Drupal Security Team is unlikely to be able to assist in finding the root problem or helping to restore your site, but is always interested in these reports.
Credit
If you follow this process to report a previously unknown vulnerability to the Drupal security team, you will be credited in the security announcement with your name and a link to your Drupal.org profile. Individuals who choose to disclose it publicly before the team and module maintainer can coordinate on a release will not be credited in the release.