Modules Unraveled Podcast artwork

122 The Drupal Security Team With Greg Knaddison and Michael Hess - Modules Unraveled Podcast

Modules Unraveled Podcast

English - October 17, 2014 10:13 - 54 minutes - 49.5 MB - ★★★★★ - 10 ratings
Technology News Tech News drupal drupal7 how learn modules modulesunraveled unraveled Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: 121 The Harmony Forum Project with Alli Price - Modules Unraveled Podcast
Next Episode: 123 Planning Drupal Events with Bert Boerland and Imre Gmelig Meyling - Modules Unraveled Podcast

## The Drupal Security Team


* What type of people are on the Drupal Security Team?


    * https://security.drupal.org/team-members


    * Mostly coders, some project managers, core maintainers


* What does the security team do?


    * We fix issues in drupal


    * Resolve reported security issues in a Security Advisory


    * Provide assistance for contributed module maintainers in resolving security issues


    * Provide documentation on how to write secure code


    * Provide documentation on securing your site


    * Help the infrastructure team to keep the drupal.org infrastructure secure


* What doesn’t the security team do


    * projects without stable releases


    * Site support


    * Set policy around security with the security working group.


* Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)


* How can others get involved?


* What was the recent bug that was fixed


 


## Questions from Twitter


* [Paulius Pazdrazdys](http://www.twitter.com/Paulenas)


How this latest security release is different from others? Do you have any information if this bug done any harm before release? #MUP122


* aboros @hunaboros


The recent bug was über critical, still only 20/25. What would be a 25/25 bug? #MUP122


* [aboros](http://www.twitter.com/hunaboros)


Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group? #MUP122


* [Carie Fisher](http://www.twitter.com/cariefisher)


When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner? #MUP122


* [David Hernandez](http://www.twitter.com/davidnarrabilis)


#MUP122 What is the average time from discovery to announcement?


* [Damien McKenna](http://www.twitter.com/DamienMcKenna)


@ModsUnraveled #MUP122 Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?


* [Heine Deelstra](http://www.twitter.com/Ustima)


How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue? #MUP122


* [Mark Conroy](http://www.twitter.com/markconroy)


I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question) #MUP122


* [aboros](http://www.twitter.com/hunaboros)


Are there plans for some sort of bounty program run by DA maybe? #MUP122


* [David Hernandez](http://www.twitter.com/davidnarrabilis)


#MUP122 What kind of work does the security team do besides review code? What is the administrative overhead?

Twitter Mentions