Backdrop CMS Security Team
The Backdrop CMS Security Team handles the receiving of security-related issues, fixing issues that affect Backdrop core, and coordinating with maintainers of contributed projects for fixes and releases of those projects.
Reporting a Security Issue
If you have found a security issue in Backdrop Core or a Contributed Project, send an email to email@example.com. Do not file an issue on GitHub if you think you have encountered a security issue. The Backdrop Security Team uses a private repository on GitHub where security issues are discussed and managed. When a security issue that affects Backdrop CMS is resolved, a release will come out on the following Wednesday.
Security Releases for Backdrop Core
Security releases will be issued for the last 2 minor releases of Backdrop, or for the last 8 months. This should give all Backdrop sites an 8-month secure window to update to the latest version. As the community grows and as more core maintainers are added, we expect to extend security releases to the last 3 releases, or to the last 1 year.
Security Releases for Contributed modules, themes, & layouts
As with Backdrop CMS core issues, security-related issues for contributed projects should also be reported to firstname.lastname@example.org. The Backdrop Security Team will contact the maintainers using Github.com, using Zulip chat, or using email to work on resolving the security issue. The project maintainer may be temporarily invited into the private Backdrop security repository to see the issue, and participate in the discussion.
Once a solution to the problem has been found, the security team will request the project maintainer schedule a release for the following Wednesday. A security announcement for the security release will be drafted, and on the day of release the Backdrop Security Team will publish the announcement, and mark the release as a security release on backdropcms.org.
Security releases for Drupal projects
The Backdrop Security Team is also watching all security releases for Drupal projects. When there are security releases that affect projects for both Drupal and Backdrop, we will work with Backdrop maintainers to create a matching Backdrop security release within the next 24 hours, if possible. For contributed projects, our Security Team acts reactively to Drupal's security releases. This differs from Backdrop core, where the Backdrop Security Team acts proactively.
In the event that the maintainer of a Backdrop contributed project is not available to perform a review or update of a security release, the Backdrop Security Team is authorized to make the update to the Backdrop contributed project on the maintainer's behalf.
Collaboration with the Drupal Security Team
The Backdrop community collaborates with the Drupal community on security issues. We coordinate security releases for Backdrop core and Drupal core, as well as for Drupal contributed modules that are included in Backdrop core (for example: Views).
All issues that affect both Drupal and Backdrop are reported, discussed, and managed in the private Drupal Security Queue on drupal.org, where we have access to all issues that also affect Backdrop. When a security issue that affects both projects is resolved, security releases for both Backdrop and Drupal core come out on the same Wednesday.
Security Releases for External Libraries
Backdrop CMS core includes several external libraries like Bootstrap, CKeditor, jQuery, jQueryUI, SmartMenus. When there are security releases for any of these projects, Backdrop core will be updated to the latest secure and backwards-compatible version of the library. If the latest secure version of the library is not backwards-compatible, the code in Backdrop core will be altered to mitigate the security concern.
Because we are a free Open Source project with only a modest budget, we aren't able to pay rewards to those who submit reports. Backdrop contributors are not paid directly for their work, either by the project itself or by its supporting organization. There are a handful of programs, however, that do pay rewards for vulnerabilities found in Open Source projects, such as:
Linux Foundation Core Infrastructure Initiative
This Best Practices Program is an open source secure development maturity model. Projects having a CII badge will showcase the project’s commitment to security. Examples of initial criteria include basic open source development practices (website, open source license, and user engagement), use of change control tools, attention to quality (automated test suite), and focus on security (secure project delivery method, use of dynamic and static analysis tools, as appropriate for the project). Consumers of the badge will be able to quickly assess which open source projects care about security-conscious development.