Responsible disclosure, cross-project collaboration, and Drupal 8 security
The Drupal project has been following a responsible disclosure model for more than 12 years. As Drupal has grown from a few thousand installs to more than 1 million, and as the number of contributed projects on Drupal.org has grown from hundreds to tens of thousands, the Drupal Security Team has continually evolved our processes to scale our security coverage.
We continue to work to ensure that every site owner has the opportunity to install security fixes as soon as security advisories are released and that whenever possible fixes are available for production use before exploits can be deployed in the wild.
With Drupal 8, three important changes have required further improvements to Drupal Security Team processes:
- The adoption of modern PHP libraries as dependencies, modern packaging with Composer, and a “proudly found elsewhere” philosophy (rather than Drupal maintaining its code from the ground up).
- The adoption of semantic versioning and a six-month minor release cycle.
- The adoption of the continuous upgrade path, which we share with the Symfony project (one of Drupal 8's major dependencies).
This session will use examples from past Drupal 8 core security advisories to explore some of the following questions:
- How do we handle accelerated innovation with a limited security team? (New code and features => new vulnerabilities and attack vectors)
- What is the impact of having up to three Drupal 8 branches in development or production at any given time (along with Drupal 7 and the Drupal 6 LTS program)?
- How do we handle backward compatibility and semantic versioning for security releases, and ensure that Drupal 8 sites have sufficient time to update following a new minor release?
- How do we balance releasing fixes as soon as possible with avoiding disruption to existing contributed projects, custom code, and Drupal 8 sites?
- How do we avoid regressions from past advisories without disclosing specific exploits too early after the advisory?
- How do we deal with upstream vulnerabilities, and how can we improve collaboration on responsible disclosure with these projects?