If you would like to join the Drupal security team we have the following volunteer roles available.

  • Security team member: Contributors work on Drupal core or contributed module security issues. They review security issues reported to the team, review patches, as well as write patches. Please send a link to your drupal.org profile and background on security issues you've identified or worked on.

The Security Team handbook page has more information about the team.

How do you apply?

Please send an email to security@drupal.org. The e-mail should say:

  • Confirm you have the "git vetted user role"
  • Provide a list of public issues you have worked on that enhance security or harden security in Drupal
  • How many hours you can commit to the team per month
  • State that you are willing to keep the confidential issues of the team confidential and that you have read https://www.drupal.org/node/2544896
  • List any relevant experience you have working on security issues
  • List the kinds of work you'd like to do
  • Your favorite vulnerability and why

New Applicant Review process

  1. An email is received from an applicant
  2. A few people vouch for the person and nobody has reasons against them joining
  3. We wait about 2 weeks for feedback from other team members
  4. The person is invited to help on one or more specific issues in a provisional team member role to prove their commitment and appropriateness to joining the team
  5. After some period of time being active on individual issues and proving to be trustworthy, the person is added to the team

We usually take 2 weeks to review new applicants. If you don't hear back in 2 weeks and 1 day, please send us a reminder email.

Improve Drupal's security from outside the team

Before you apply or if you are not accepted at first, there are still many things you can do to improve the security of Drupal.

In most cases, people are not accepted because the current team members don't know the applicant well enough. There are a few great ways to solve that problem. As you do these things, please keep links to comments and node revisions that show your work for a future mail to the team showing your work:

  • Do reviews of Project applications with a particular focus on security. If you find a security issue, be sure to tag the applicaiton issue with "Pareview: Security".
  • Review the handbooks under security team and look for places where the documentation could be improved. Make those changes (if you can't due to a filter permissions problem, file a documentation issue suggesting the change).
  • Work on issues tagged with security improvements
  • Attend a Drupalcamp or Drupalcon and talk with any security team members in attendance - ask them questions about their experience and talk about your interests related to security