Drupal.org, the official website for the Drupal content management system, has announced a significant change in how certain risk-level issues within the Drupal core will be handled. Effective immediately, Drupal core issues reported to the Security Team with risk levels categorized as "Not Critical," "Less Critical," or "Moderately Critical" will be treated as bugs in the public issue queue rather than private security issues requiring a security advisory and Common Vulnerabilities and Exposures (CVE) identification. This adjustment aims to expedite the resolution of these issues by utilizing public issue queues.

The decision to revise the handling of Drupal core issues stems from the desire to address and fix such issues more swiftly, leveraging the collaborative efforts of the broader Drupal community. The Security Team will exercise its discretion to determine whether certain issues can be addressed publicly, considering factors such as the risk score, severity of impact, exploit difficulty, and any additional mitigating factors.

You May Like

Article

Nebraska Drupalers Meetup at Spielbound in Omaha on May 16

Article

Nebraska Drupalers Meetup at Spielbound in Omaha on May 16

Despite this change, the Drupal Security Team encourages security researchers to initiate the reporting process by filing private issues, which may later be transitioned to public status. Additionally, there may be instances where the Security Team decides to convert a public issue into a private one when necessary.

Drupal core issues carrying a risk level of "Critical" or "Highly Critical" will remain treated as private security issues, ensuring the appropriate level of confidentiality and urgency. Furthermore, some lower-risk issues may still be handled privately at the discretion of the Security Team based on their potential impact.

To learn more about the updated procedures for handling Drupal core issues, interested individuals can visit the official Drupal.org website.