If you discover a vulnerability, please keep it confidential.
If you have found a security issue in Backdrop Core or a Contributed Project, send an email to email@example.com. The Backdrop Security Team uses a private repository on GitHub where security issues can safely be discussed and fixed.
Please do not file an issue on GitHub, or discuss the issue in public chat if you think you might have encountered a security vulnerability. Do not disclose the vulnerability to anyone else before an advisory is issued.
The security team will investigate your report and then work with you and the project maintainer to create a fix. If the issue is about a contributed project, the security team will coordinate with the maintainer. Once the fix is ready, we will create a release and announce the fix to a wide audience on the following Wednesday.
Some bugs take time to resolve and the process may involve a review of the whole codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming. We aim to fix issues as soon as possible, but we need to balance that with the available time of our volunteer team and the need to release high quality fixes.
If progress on fixing the issue stalls and it cannot be fixed in a mutually agreeable time, we will unpublish the releases for that project and create a Security Advisory detailing the problem.
A good security bug report
Provide a detailed report. Include as many of these items as possible:
- Backdrop version and/or module version affected by the issue.`
- Steps to reproduce the problem starting from a fresh site install.
- A proposed solution.
Optional: you can indicate the way you would like to be referred to in the advisory about the vulnerability. Our preference is to use full names linked to github names. If you do not specify we will do our best to find that information. You can also request a pseudonym, or having your name withheld.
Credit and Coordinated Disclosure
If you follow this process to report a previously unknown vulnerability to the Backdrop security team, you will be credited in the security announcement with your name and a link to your github profile. Note: Individuals who choose to disclose the vulnerability publicly before coordinated release of fixed code will not be credited in the Security Advisory.
What if the vulnerability itself is not covered by the Security Advisory policy?
If you are certain that the vulnerability is not covered by the Security advisory policy, you can still report it by sending an email to firstname.lastname@example.org, but it's also acceptable to post it directly to the project issue queue of that project.
What if the vulnerability affects a project that is not covered by the Security Advisory policy?
If you are absolutely certain that the project containing the vulnerability is not covered by the policy, you can report the issue in the public issue queue of the project affected by the vulnerability. It is considered good form to report security issues to the security team first. We recommend that you report it to the security team by sending an email to email@example.com so that the security team and project maintainers can first be made aware of the issue in private.
What if the vulnerability affects a project that is not in the backdrop-contrib group?
Contact the project author directly. You may also email firstname.lastname@example.org to advise the Security Team of the issue, but they do not handle security advisories for projects hosted elsewhere.
Because we are a free Open Source project with only a modest budget, we aren't able to pay rewards to those who submit reports. Backdrop contributors are not paid directly for their work, either by the project itself or by its supporting organization. There are a handful of programs, however, that do pay rewards for vulnerabilities found in Open Source projects, such as: