Home » About Drupal » About the Drupal project » Security team

How to report a security issue

Last modified: April 6, 2009 - 14:00

If you discover a vulnerability in Drupal core or contributed module, keep it confidential. Mail us at security@drupal.org, do not post in the issue tracker. The security team will investigate your report and create a fix. When the issue is about a contributed module, the team coordinates with a module maintainer. When a fix is ready, an advisory urging users to upgrade is published.

Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming.

Do not disclose the vulnerability to anyone before the advisory is issued.

A good report

Provide us with a detailed report. As a minimum:

  • Drupal version or module version.
  • Steps to reproduce.

Credit

If you report a previously unknown vulnerability to the Drupal security team, you will be credited in the security announcement.

» Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.