Backdrop CMS Security Team

The Backdrop Security Team has a separate process for dealing with security issues that affect Backdrop core. We have a private Backdrop Security Queue on GitHub where security issues are discussed and managed. Backdrop security Issues are reported via email to security@backdropcms.org. When a security issue that affects Backdrop CMS is resolved, a release will come out on the following Wednesday.

Contributed modules, themes, & layouts

The Backdrop Security Team actively monitors all security releases for Drupal contributed projects. When there is a security release for a Drupal project with no corresponding release for the Backdrop version, an issue will be created in the Backdrop Security Queue, and the Backdrop maintainer will be notified. 

In the event that the maintainer of a Backdrop contributed project is not available to perform a review or update of a security release, the Backdrop Security Team is authorized to make the update to the Backdrop contributed project on the maintainer's behalf.

We're on the Drupal Security Team too

The Backdrop community collaborates with the Drupal community on security issues. We coordinate security releases for Backdrop core and Drupal core, as well as for Drupal contributed modules that are included in Backdrop core (for example: Views).

All issues that affect both Drupal and Backdrop are reported, discussed, and managed in the private Drupal Security Queue on drupal.org, where we have access to all issues that also affect Backdrop. When a security issue that affects both projects is resolved, a release for both projects comes out on the same Wednesday.

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone on the list announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"