Home » About Drupal » About the Drupal project

Security team

Last modified: February 5, 2010 - 11:01

Goals of the security team

  • Resolve reported security issues.
  • Review code for potential security weaknesses.
  • Provide assistance for contributed module maintainers in resolving security issues.
  • Provide documentation on how to write secure code.


How to report a security issue

If you discover or learn about a potential error, weakness or threat that could compromise the security of Drupal, mail your concern to the Drupal security team: security@drupal.org. Provide as many details as you can about the environment, Drupal version, modules used, their versions and so on. For more information, see how to report a security issue.

How the security team resolves reported security issues

  • Review the issue and evaluate the potential impact on all supported releases of Drupal.
  • If it is indeed a valid problem, the security team is mobilized to eliminate it.
  • New versions are created and tested.
  • New packages are created and uploaded to Drupal.org.
  • When an issue has been fixed, use all available communication channels to inform users of steps that must be taken to protect themselves.

Recommended Core Security Improvements

A report was written about Drupal security in 2007, by Google Highly Open Project, high school student Jesse Crawford.

Security announcement and release process

Providing security requires more than simply posting a patch to Drupal.org. Hundreds of thousands of people rely on the Drupal security team to notify them of known vulnerabilities. The security team coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance. The security team works with Drupal core and module maintainers.

If you are concerned with the response time or handling of a security issue, ask security@drupal.org. You may publicly discuss the policy, but not the details of any non-disclosed issue.

There are three pages listing past security announcements:

Disclosure policy

The security team has a full disclosure policy, not withholding information about a security problem and hoping that it won’t be discovered by others. Public announcements are made when the threat has been addressed and a secure version is available. When reporting a security issue, observe the same policy. Do not share your knowledge of security issues with the public at large.

Which versions are supported?

  • Only the current and one previous version of Drupal are actively supported, currently 6.x and 5.x. Upgrade if you are using an unsupported version of Drupal.
  • The development branch of Drupal is not intended for production use. Security problems are fixed, but security announcements are not issued. Update your code regularly.
  • The security team oversees the security of the core Drupal distribution. The security of contributed modules relies on the individual maintainers.

Issues with contributed modules

When the security team learns of a security issue with a contributed module, the module maintainer is contacted with a deadline. When the maintainer fixes the problem, the security team issues an advisory. If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.

How to get involved?

The most important help you can provide is reviewing proposed patches with a security mindset. You can also help by reporting issues and working with the team on a fix. Because membership in the team gives the individual access to potentially destructive information, membership is somewhat limited to people who have a proven track record in the Drupal community. The best way to develop that is to meet the security team members at real-world events, help out in the public issue queue, and join the conversation in #drupal.

Security team members

» Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.