Acquia and the Drupal security team

I've been working on the Drupal security team for over three years now. My current role is coordinator of the security team and that means I help to coordinate when releases happen, review security announcements, recruit new members, and review inactive members. The Drupal security team has a highly competent group of developers and they do a good job self organizing and getting security releases out the door. If they get stuck, I may step in and help rally the team or work through some of the non-code issues involved in getting security releases out the door. The security team is led by Heine Deelstra and he is the silent champion of improving Drupal security particularly when it comes to improving Drupal contributed module security. The security team has many great contributors and right now there are 25 active members of the Drupal security team. It's a privilege to work closely with so many great contributors.

I can't share the inner workings of the security team, our security team mailing list, or the contributions involved in patch reviews and testing. I can't share the private responses the security team sends to people who ask security questions. But I can tell you that being a Drupal core maintainer is a lot of work and often involves working late into the night to get security releases out, particularly for European maintainers like Gabor. The Drupal project is lucky to have such dedicated and competent maintainers.

Some Acquia customers and Drupal community members may be curious about how Acquia Drupal works with the Drupal security team. In addition to myself, several Acquia engineers serve on the security team. They work to find and address issues in Drupal and then coordinate with the rest of the Acquia engineering team to do whatever is in the best interest of customers given the situation. Many of us have have been already working together for years. It's a tight knit group with a lot of high bandwidth communication.

To give you a little history on what we're up to, I pulled together the following list of a handful of recent security reports that members of the Acquia engineering team have found and reported with their fellow Drupal security team colleagues. All of these issues are currently public.

Gabor Hojsty

Peter Wolanin

Barry Jaspan

Drupal 6 is now on it's fifth release with 6.5 coming out yesterday. Several of us at Acquia, particularly Gabor, and Peter worked as members of the Drupal security team to get another successful release out yesterday. While Gabor, Peter, and myself were working on getting the Drupal release out the door, the Acquia engineering and product management team were planning for Acquia Drupal 1.01, our first update. You can download Acquia Drupal 1.01 on our downloads page now. You can also see the updates from your Acquia Network or from the updates notifications inside your Acquia Drupal site.