Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.On this page
Security track record
This documentation needs work. See "Help improve this page" in the sidebar.
Composed of a set of respected community volunteers, and one of the first dedicated Security Teams in an open source CMS project, the Drupal Security Team works to resolve reported security issues for code hosted on drupal.org, to review code for vulnerabilities, and to provide security expertise and assistance to contributors.
The Drupal community has an excellent track record of finding and fixing vulnerabilities in community-created code.
The number of security advisories shows consistent and reliable activity within the code contributors and the security team who guides the process of fixing and releasing security patches. Some interpret these numbers and say "a large number of vulnerabilities must mean insecure code." That analysis ignores the reality that all code has bugs (including security bugs) and the most important thing is an active group of coders and researchers finding and fixing bugs.
Number of Security Advisories for Drupal core and contributed projects per year
| Year | Core | Contributed |
|---|---|---|
| 2023 | 6 | 48 |
| 2022 | 15 | 63 |
| 2021 | 11 | 46 |
| 2020 | 13 | 38 |
| 2019 | 12 | 96 |
| 2018 | 6 | 81 |
| 2017 | 4 | 97 |
| 2016 | 5 | 63 |
| 2015 | 4 | 175 |
| 2014 | 6 | 128 |
| 2013 | 3 | 98 |
| 2012 | 4 | 174 |
| 2011 | 3 | 59 |
| 2010 | 2 | 98 |
| 2009 | 8 | 115 |
| 2008 | 11 | 64 |
| 2007 | 11 | 21 |
| 2006 | 12 | 21 |
| 2005 | 7 | 2 |
Security team presentations
The security team is usually well represented at Drupalcons and camps, to raise awareness and share tips on making sites more secure.
- Security presentation at Drupalcon Barcelona 2015 (includes video)
- Security presentation at Drupalcon Amsterdam 2014 (includes video)
- Security presentation at Drupalcamp Vienna 2013 for coders (YoutTube Video)
- Security presentation at Copenhagen 2010 for coders and themers
- Security presentation at San Francisco 2010 for site administrators (includes video)
- Security presentation at San Francisco for coders and themers (includes video)
Additional information
- The Drupal Security White Paper published by some members of the Drupal security team 11 March 2014, licensed CC-BY-ND
Provides an analysis of the current state of Drupal security. Decision makers evaluating Drupal for use as a content management system or framework solution are encouraged to use this document in their decision process. The analysis includes historical vulnerability data with respect to mitigation techniques, common and critical security risks, and the community-driven procedures unique to Drupal. - Dries Buytaert's blog post Drupal security team: past, current and future
- Is Drupal Secure?
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
