HOWTO: Report a security issue

Contact the security team

If you discover a vulnerability in Drupal core or in a contributed module, please keep it confidential. Do not post it in the issue tracker but mail us at security@drupal.org. We will investigate your report and create a fix or, when the issue is about a contributed module, ask a module maintainer to do so. When this fix is ready, we'll publish an advisory, urging users to upgrade.

Some bugs take a while to correct, mainly because we need to review the codebase for similar problems.

We kindly ask you to not disclose the vulnerability to anyone before the advisory is issued.

A good report

Please provide us with a detailed report. As a minimum we need:

  • Drupal version or module version.
  • CVS Id for modules that were available/downloaded prior to the new release system.
  • Steps to reproduce.

Credit

If you report a previously unknown vulnerability to the Drupal security team, you will be credited in the security announcement.

 
 

Drupal is a registered trademark of Dries Buytaert.