Do not commit changes until you have coordinated with the security team.
When the security team finds a vulnerability in your module or receives a report detailing so, you will be contacted and asked to investigate it.
What you need to do
- Review the information you have been provided by the security team.
- Review the project for similar vulnerabilities.
- Create a patch and send it to the security team for review. Do not commit anything until the advisory is written and you have coordinated a release date with the team. (If you would prefer to create a PR, you will need to do so in a private repository, and invite the security team to review it there.)
- Prepare a draft of the security advisory using previous Security Advisories as guidelines. The security team will provide you with a draft advisory node on backdropcms.org. It will be private while its content is approved by both the maintainers and security team.
- Coordinate with the security team a time when you can do the commit and create a new release (see below).
- Keep the information a secret to yourself, the security team, and project co-maintainers until the security announcement has been released
It is important to keep the issue confidential during this process, and to coordinate each step with the security team.
Whenever you are not sure what to do, ask a security team member for advice.
What happens if I don't respond?
The Security Team's priority is to get a good solution published in a timely manner. We are happy to discuss potential solutions or answer questions from maintainers, though we would prefer not to write the fix for the maintainers.
If the maintainers are unavailable, don't respond, or don't make progress on fixing the issue within 2 weeks of being initially contacted, or if communication and/or progress seems to stall, then the Security Team is authorized to commit a fix for the problem, and issue a security release for the project along with a Security Advisory.
Factors that can play into how quickly this happens include the severity of the bug, the willingness of the maintainers, and the number of sites affected.
What the security team will do
- Answer any questions you may have
- Ensure timely progress on the issue
- Review patches or PRs to resolve the concern
- Create a draft SA on backdropcms.org for you
- Review and publish the SA
- Mark the release on backdropcms.org as a security release
Coordinated release and announcement
When a vulnerability has been resolved in coordination with the security team, a new release is required. This usually means an increase of the minor version, for example from 1.x-1.1.1 to 1.x-1.2.0.
See Creating releases for background information on releases. Any release created to address a security problem must be classified as a Security release . See Types of releases for more information. Release nodes tagged "Security update" do not get published automatically. A member of the team will manually publish it for you.
When you commit security changes use a commit message that does not call attention to the security issue. Do not discuss the pending release with anyone outside of the security team and the co-maintainers of the project. If you have created automated tests that test the vulnerability do not commit these tests at the time of the release, but instead hold onto them for a while (e.g. 2 weeks) before committing them as this helps reduce the likelihood of an attacker creating an exploit for the vulnerability.
The Backdrop and Drupal communities make security releases/announcements public on Wednesdays that are not near a major holiday. We prefer if you commit the code and create the release nodes on an agreed Tuesday after 17:00 UTC. You can then update the security advisory adding links to the release nodes and update the issue on backdropcms.org. We try not to create new releases after Wednesday 22:00 UTC, so please do not commit a fix after that time without prior approval from a security team member.
To make sure the release and announcement are published at the same time, you can contact your security team contact directly, or email security@backdropcms.org.