Backdrop CMS Security Team

The Backdrop CMS Security Team handles the receiving of security-related issues, fixing issues that affect Backdrop core, and coordinating with maintainers of contributed projects for fixes and releases of those projects.

Reporting a Security Issue

Send an email to security@backdropcms.org if you have found a security issue in Backdrop Core or a Contributed project. Please do not file an issue on GitHub, or discuss the issue in public chat.

Please see Reporting a security issue for more details.

Security Releases for Backdrop Core

Security releases will be issued for the last 2 minor releases of Backdrop, or for the last 8 months. This should give all Backdrop sites an 8-month secure window to update to the latest version.

Security Releases for Contributed modules, themes, & layouts

Security-related issues for contributed projects should also be reported to security@backdropcms.org

The Backdrop security team will contact the project maintainers via GitHub private issue, live chat, or email to notify them of the security issue. The reporter may also be invited to participate via the private Backdrop security repository created to address the issue reported.

Once a solution to the problem has been found, the security team and the project maintainer will schedule a release for an upcoming Wednesday. A Security Advisory for the security release will be drafted. 

On the day of release, the maintainer will commit the changes, and create a release as usual. Then the Backdrop Security Team will publish the Security Advisory, and mark the release as a security release on backdropcms.org. 

If a CVE is warranted, it will be requested by the Backdrop Security Team to ensure that all parties involved get credit for their efforts.

Security releases for Drupal projects

The Backdrop Security Team is also watching all security releases for Drupal projects. When there are security releases that affect projects for both Drupal and Backdrop, we will work with Backdrop maintainers to create a matching Backdrop security release within the next 24 hours, if possible. For contributed projects, our Security Team acts reactively to Drupal's security releases. This differs from Backdrop core, where the Backdrop Security Team acts proactively.

In the event that the maintainer of a Backdrop contributed project is not available to perform a review or update of a security release, the Backdrop Security Team is authorized to make the update to the Backdrop contributed project on the maintainer's behalf.

Collaboration with Drupal

The Backdrop community collaborates with the Drupal community on security issues. Issues that affect both Drupal and Backdrop are reported, discussed, and managed in the private Drupal Security Queue on drupal.org. 

Drupal Security Team Collaboration

We work closely with the Drupal Security Team on releases that also affect Drupal core, as well as for contributed modules that are included in Backdrop core (for example: Email or Views module).

When a security issue that affects both Backdrop and Drupal is resolved, security releases for both Backdrop and Drupal core come out on the same Wednesday.

D7 Security Group Collaboration

We work closely with the D7 Security Group on releases that also affect Drupal 7. Though Drupal 7 is technically End of Life, there will still be security releases for these older projects.

When a security issue that affects both Backdrop and Drupal 7 is resolved, security releases for both Backdrop and the Drupal 7 project will come out on the same Wednesday.

Security Releases for External Libraries

Backdrop CMS core includes several external libraries like Bootstrap, CKeditor, jQuery, jQueryUI, and SmartMenus. When there are security releases for any of these projects, Backdrop core will be updated to the latest secure and backwards-compatible version of the library. If the latest secure version of the library is not backwards-compatible, the code in Backdrop core will be updated to mitigate the security concern.

Disclosure policy

The security team follows a Coordinated Disclosure policy: we keep issues private until there is a fix or until it becomes apparent that the maintainer is not addressing the issue in a timely manner. 

Public announcements are made when the threat has been addressed and a secure version is available, or when an insecure project becomes unsupported. When reporting a security issue, observe the same policy. Do not share your knowledge of security issues with others.

Linux Foundation Core Infrastructure Initiative

This Best Practices Program is an open source secure development maturity model. Projects having a CII badge will showcase the project’s commitment to security. Examples of initial criteria include basic open source development practices (website, open source license, and user engagement), use of change control tools, attention to quality (automated test suite), and focus on security (secure project delivery method, use of dynamic and static analysis tools, as appropriate for the project). Consumers of the badge will be able to quickly assess which open source projects care about security-conscious development.

Backdrop CMS is proud to display its CII Best Practices badge:

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form