Contacted by the security team. Now what?

When the security team finds a vulnerability in your module or receives a report detailing so, you will be contacted and asked to investigate it.

What you need to do

1. Review the report.
2. Review your module for similar vulnerabilities.
3. Create a patch and send it to the security team for review. Do not commit anything until you hear back from us.
4. Prepare a draft of the announcement using the previous Security Announcements as guidelines.
5. Coordinate with the security team a time when you can do the commit and create a new release (see below).

It is important to keep the issue confidential during this process, and to coordinate each step with the security team.

Whenever you are not sure what to do, contact security team at security@drupal.org for advice.

What the security team will do

• Help you with questions.
• Track progress.
• Write an advisory.

If we have not received a reply within one month after contacting you, we will publish an advisory urging users to uninstall the affected module. The relevant project will be unpublished.

Coordinated release and announcement

When a vulnerability has been corrected in coordination with the security team, you have to make a new release. This usually means an increase of the minor version, for example from 6.x-1.0 to 6.x-1.1. If you have never created proper releases you need to create the first release (6.x-1.0).

See Managing releases for background information on releases. Any release created to address a security problem should be classified as a Security update release using the Release type category when creating (or editing) the release node. See Types of releases for more information.

To make sure the release and announcement are published at the same time, contact the security team leader on one of the following IM-addresses when you are ready for release:

Note that these IM addresses are for security issues or release coordination only and will not keep contact lists.