Sign up to save your podcasts
Or
Share 122 The Drupal Security Team With Greg Knaddison and Michael Hess - Modules Unraveled Podcast
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
122 The Drupal Security Team With Greg Knaddison and Michael Hess - Modules Unraveled Podcast
## The Drupal Security Team
* What type of people are on the Drupal Security Team?
* https://security.drupal.org/team-members
* Mostly coders, some project managers, core maintainers
* What does the security team do?
* We fix issues in drupal
* Resolve reported security issues in a Security Advisory
* Provide assistance for contributed module maintainers in resolving security issues
* Provide documentation on how to write secure code
* Provide documentation on securing your site
* Help the infrastructure team to keep the drupal.org infrastructure secure
* What doesn’t the security team do
* projects without stable releases
* Site support
* Set policy around security with the security working group.
* Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
* How can others get involved?
* What was the recent bug that was fixed
## Questions from Twitter
* [Paulius Pazdrazdys](http://www.twitter.com/Paulenas)
How this latest security release is different from others? Do you have any information if this bug done any harm before release? #MUP122
* aboros @hunaboros
The recent bug was über critical, still only 20/25. What would be a 25/25 bug? #MUP122
* [aboros](http://www.twitter.com/hunaboros)
Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group? #MUP122
* [Carie Fisher](http://www.twitter.com/cariefisher)
When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner? #MUP122
* [David Hernandez](http://www.twitter.com/davidnarrabilis)
#MUP122 What is the average time from discovery to announcement?
* [Damien McKenna](http://www.twitter.com/DamienMcKenna)
@ModsUnraveled #MUP122 Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
* [Heine Deelstra](http://www.twitter.com/Ustima)
How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue? #MUP122
* [Mark Conroy](http://www.twitter.com/markconroy)
I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question) #MUP122
* [aboros](http://www.twitter.com/hunaboros)
Are there plans for some sort of bounty program run by DA maybe? #MUP122
* [David Hernandez](http://www.twitter.com/davidnarrabilis)
#MUP122 What kind of work does the security team do besides review code? What is the administrative overhead?
View all episodes
By jblacson005## The Drupal Security Team
* What type of people are on the Drupal Security Team?
* https://security.drupal.org/team-members
* Mostly coders, some project managers, core maintainers
* What does the security team do?
* We fix issues in drupal
* Resolve reported security issues in a Security Advisory
* Provide assistance for contributed module maintainers in resolving security issues
* Provide documentation on how to write secure code
* Provide documentation on securing your site
* Help the infrastructure team to keep the drupal.org infrastructure secure
* What doesn’t the security team do
* projects without stable releases
* Site support
* Set policy around security with the security working group.
* Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
* How can others get involved?
* What was the recent bug that was fixed
## Questions from Twitter
* [Paulius Pazdrazdys](http://www.twitter.com/Paulenas)
How this latest security release is different from others? Do you have any information if this bug done any harm before release? #MUP122
* aboros @hunaboros
The recent bug was über critical, still only 20/25. What would be a 25/25 bug? #MUP122
* [aboros](http://www.twitter.com/hunaboros)
Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group? #MUP122
* [Carie Fisher](http://www.twitter.com/cariefisher)
When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner? #MUP122
* [David Hernandez](http://www.twitter.com/davidnarrabilis)
#MUP122 What is the average time from discovery to announcement?
* [Damien McKenna](http://www.twitter.com/DamienMcKenna)
@ModsUnraveled #MUP122 Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
* [Heine Deelstra](http://www.twitter.com/Ustima)
How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue? #MUP122
* [Mark Conroy](http://www.twitter.com/markconroy)
I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question) #MUP122
* [aboros](http://www.twitter.com/hunaboros)
Are there plans for some sort of bounty program run by DA maybe? #MUP122
* [David Hernandez](http://www.twitter.com/davidnarrabilis)
#MUP122 What kind of work does the security team do besides review code? What is the administrative overhead?