Backdrop CMS Security Team

The Backdrop CMS Security team handles the receiving of security-related issues, fixing issues that affect Backdrop core, and coordinating with module maintainers for contributed modules.

Reporting a Security Issue

If you have found a security issue in Backdrop Core or a Contributed Project, send an email to security@backdropcms.org. Do not file an issue in GitHub if you think you have encountered a security issue. The Backdrop Security Team uses a private repository on GitHub where security issues are discussed and managed. When a security issue that affects Backdrop CMS is resolved, a release will come out on the following Wednesday.

Contributed modules, themes, & layouts

As with Backdrop CMS core issues, contributed project issues should also be reported to security@backdropcms.org. The Backdrop Security team will contact the module maintainers by email to work on resolving the security issue. In some situations, the project maintainer may be temporarily invited into the private Backdrop security repository. Once a solution to the problem has been found, the security team will request the project maintainer schedule a release for the following Wednesday. The Backdrop security team will then create a security announcement for the security release.

In the event that the maintainer of a Backdrop contributed project is not available to perform a review or update of a security release, the Backdrop Security Team is authorized to make the update to the Backdrop contributed project on the maintainer's behalf.

Collaboration with Drupal Security Team

The Backdrop community collaborates with the Drupal community on security issues. We coordinate security releases for Backdrop core and Drupal core, as well as for Drupal contributed modules that are included in Backdrop core (for example: Views). For contributed modules not in Backdrop core, we monitor recent Drupal contrib module releases and work with the Backdrop contributed module author to address the security issue as quickly as possible.

All issues that affect both Drupal and Backdrop are reported, discussed, and managed in the private Drupal Security Queue on drupal.org, where we have access to all issues that also affect Backdrop. When a security issue that affects both projects is resolved, security releases for Backdrop and Drupal core come out on the same Wednesday.

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone on the list announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"