Security announcements and process policy

Which Releases Get Security Announcements?

Security announcement are only made for issues affecting stable releases (Y.x-Z.0 or higher) in the supported major version branches (at the time of writing Drupal 5.x and Drupal 6.x). That means no security announcements for development releases (-dev), ALPHAs or BETAs.

We do not take the usage of a project into account to keep this policy clear for our users.

What About Vulnerabilities Which Require Advanced Permissions?

Another case where no security announcement is required is when an exploit requires one of the following permissions:

• Administer filters
• Administer users
• Administer permissions
• Administer content types
• Administer site configuration

In general, every permission that in itself already enables site-takeover.