Contacted by the security team. Now what?

When the security team finds a vulnerability in your module or receives a report detailing so, you will be contacted and asked to fix it.

What you need to do

• Review the report.
• Review your module for similar vulnerabilities.
• Fix the vulnerability.
• Commit the fix using a non descriptive commit message.
• Inform the security team that your module is fixed. Provide version information as well.
• Create a new release of your module (see below).
• Keep the issue confidential until the security team releases a security announcement.

What the security team will do

• Help you with questions.
• Track progress.
• Write an advisory.

If we have not received a reply within one month after contacting you, we will publish an advisory urging users to uninstall the affected module. The relevant project will be unpublished.

Coordinated release and announcement

When a vulnerability has been corrected you have to make a new release. This usually means an increase of the minor version, for example from 4.7.x-1.0 to 4.7.x-1.1. If you have never created proper releases you need to create the first release (4.7.x-1.0).

See Managing releases for background information on releases. Any release created to address a security problem should be classified as a Security update release using the Release type category when creating (or editing) the release node. See Types of releases for more information.

To make sure the release and announcement are published at the same time, contact the security team leader on one of the following IM-addresses when you are ready for release:

Note that these IM addresses are for security issues or release coordination only and will not keep contact lists.

An alternative method exists:

• Create an official release tag, but no release node.
• Write the text for the release node.
• Send the text of the release node and the tag to security at drupal.org.
• We will create a release node and make sure the announcement is published.