Security team
Goals of the security team
- Resolve reported security issues.
- Review code for potential security weaknesses.
- Provide assistance for contributed module maintainers in resolving security issues.
- Provide documentation on how to write secure code.
How to report a security issue
If you discover or learn about a potential error, weakness or threat that could compromise the security of Drupal, mail your concern to the Drupal security team: security@drupal.org. Provide as many details as you can about the environment, Drupal version, modules used, their versions and so on. For more information, see how to report a security issue.
How the security team resolves reported security issues
- Review the issue and evaluate the potential impact on all supported releases of Drupal.
- If it is indeed a valid problem, the security team is mobilized to eliminate it.
- New versions are created and tested.
- New packages are created and uploaded to Drupal.org.
- When an issue has been fixed, use all available communication channels to inform users of steps that must be taken to protect themselves.
Recommended Core Security Improvements
A report was written about Drupal security in 2007, by Google Highly Open Project, high school student Jesse Crawford.
Security announcement and release process
Providing security requires more than simply posting a patch to Drupal.org. Hundreds of thousands of people rely on the Drupal security team to notify them of known vulnerabilities. The security team coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance. The security team works with Drupal core and module maintainers.
If you are concerned with the response time or handling of a security issue, ask security@drupal.org. You may publicly discuss the policy, but not the details of any non-disclosed issue.
There are three pages listing past security announcements:
Disclosure policy
The security team has a full disclosure policy, not withholding information about a security problem and hoping that it won’t be discovered by others. Public announcements are made when the threat has been addressed and a secure version is available. When reporting a security issue, observe the same policy. Do not share your knowledge of security issues with the public at large.
Which versions are supported?
- Only the current and one previous version of Drupal are actively supported, currently 6.x and 5.x. Upgrade if you are using an unsupported version of Drupal.
- The development branch of Drupal is not intended for production use. Security problems are fixed, but security announcements are not issued. Update your code regularly.
- The security team oversees the security of the core Drupal distribution. The security of contributed modules relies on the individual maintainers.
Issues with contributed modules
When the security team learns of a security issue with a contributed module, the module maintainer is contacted with a deadline. When the maintainer fixes the problem, the security team issues an advisory. If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.
How to get involved?
The most important help you can provide is reviewing proposed patches with a security mindset. You can also help by reporting issues and working with the team on a fix.
Security team members
- Khalid Baheyeldin
- Joshua Brauer
- Dries Buytaert
- Angela Byron
- Robert Castelo
- Nathaniel Catchpole
- Stéphane Corlosquet
- Heine Deelstra (team leader)
- Neil Drumm
- Ben Jeavons
- Dmitri Gaskin
- James Gilliland
- Charlie Gordon
- Gábor Hojtsy
- Morbus Iff
- Bart Jansens
- Barry Jaspan
- Chris Johnson
- Gerhard Killesreiter
- Andy Kirkham
- Greg Knaddison
- Kieran Lal (coordinator)
- Adam Light
- John Morahan
- Karoly Negyesi
- Chad Phillips
- Stella Power
- David Rothstein
- Jakub Suchy
- Mori Sugimoto (coordinator)
- David Strauss
- Oleg Terenchuk
- Damien Tournoud
- James Walker
- Moshe Weitzman
- Peter Wolanin
- Derek Wright
Levels of Security Risk?
I've seen the following values show up for "Security Risk" in various advisories:
Less Critical, Critical, Highly Critical, Moderately Critical, Less Critical, Not critical
Does there exist an explanation of what each of these means, in terms of what a hacker could do to your site? Or is it sort of an ad-hoc assessment based on each vulnerability?
Same Question!?
I was looking for the same information. Please let me know if you were able to find a description of each security level.
Thank you
math question captcha
In my site they found a way to pass the math question and I had about 30 spam-comments, and 12hrs later again. I changed to image captcha and hope this will solve the issue. And recomendations o help is welcome.