Published: Fri, 10/17/14
The Drupal Security Team
- What type of people are on the Drupal Security Team?
- Mostly coders, some project managers, core maintainers
- What does the security team do?
- We fix issues in drupal
- Resolve reported security issues in a Security Advisory
- Provide assistance for contributed module maintainers in resolving security issues
- Provide documentation on how to write secure code
- Provide documentation on securing your site
- Help the infrastructure team to keep the drupal.org infrastructure secure
- What doesn’t the security team do
- projects without stable releases
- Site support
- Set policy around security with the security working group.
- Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
- How can others get involved?
- What was the recent bug that was fixed
Questions from Twitter
- Paulius Pazdrazdys
How this latest security release is different from others? Do you have any information if this bug done any harm before release?
The recent bug was über critical, still only 20/25. What would be a 25/25 bug?
Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group?
- Carie Fisher
When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner?
- David Hernandez
What is the average time from discovery to announcement?
- Damien McKenna
@ModsUnraveled Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
- Heine Deelstra
How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue?
- Mark Conroy
I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question)
Are there plans for some sort of bounty program run by DA maybe?
- David Hernandez
What kind of work does the security team do besides review code? What is the administrative overhead?