Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid to Ask)

Session track
Code & Development
Experience level
50 min

In this session I'm giving a talk about what we should do if there is a bug or eventually a security issue that is discovered in an Open Source project.

As we are in Drupal Community, there are workflows that should be respected to report issues, especially following the Disclosure Policy of Drupal Security Team, most of the drupal users are still not fully aware of how these issues should be reported, what qualifies a security issue to be a real vulnerability and how contibuted projects' maintainers should act when they get warned by an existing security vulnerability in their code base.

We'll talk about previous examples from the last years: how Drupal Security Team managed to release security updates.
What are the key moments in the workflows of security.drupal.org issues?
Why we should update our websites with at least highly critical updates ASAP?
How we should evaluate risk on a Wednesday evening when a contrib gets security updated aka. What are those codes and scores in a security advisory?
What we eventually should do if we find something in our or in someone else' code?
And many other questions related to Drupal Security will be answered in a story-based talk by a currently Provisional Member of the Drupal Security Team!