When the security team finds a vulnerability in your module or receives a report detailing so, you will be contacted and asked to investigate it.
What you need to do
- Review the report.
- Review your module for similar vulnerabilities.
- Create a patch and send it to the security team for review. Do not commit anything until the security team instructs you to do so.
- Prepare a draft of the security advisory using the previous Security Advisories as guidelines. It should be posted to the security.drupal.org site as a node using the content type for SAs.
- Coordinate with the security team a time when you can do the commit and create a new release (see below).
- Keep the information a secret to yourself, the security team, and module co-maintainers until the security announcement has been released
It is important to keep the issue confidential during this process, and to coordinate each step with the security team.
Whenever you are not sure what to do, contact security team at security@drupal.org for advice.
What the security team will do
- Help you with questions.
- Ensure timely progress.
- Review the patch and advisory for style/accuracy.
If we have not received a reply within one month after contacting you, we will publish an advisory urging users to uninstall the affected module. The relevant project will be unpublished.
Coordinated release and announcement
When a vulnerability has been corrected in coordination with the security team, you have to make a new release. This usually means an increase of the minor version, for example from 6.x-1.0 to 6.x-1.1. If you have never created proper releases you need to create the first release (6.x-1.0).
See Managing releases for background information on releases. Any release created to address a security problem should be classified as a Security update release using the Release type category when creating (or editing) the release node. See Types of releases for more information.
When you commit the code use a commit message that does not call attention to the security issue. Do not discuss the pending release with anyone outside of the security team and the co-maintainers of the module.
To make sure the release and announcement are published at the same time, contact your security team contact via the security.drupal.org issue queue or via irc. The list of team members includes their irc nicks where available.