Still on Drupal 7? Security support for Drupal 7 ended on 5 January 2025. Please visit our Drupal 7 End of Life resources page to review all of your options.Reporting Drupal.org security issues
Please report Drupal.org security issues to engineering@association.drupal.org. This includes reports about www.drupal.org, any *.drupal.org sites, like jobs.drupal.org, and drupalsteward.org.
This is for issues about Drupal.org the website. If you believe you have found an issue in Drupal or a project hosted on Drupal.org, report it to the Drupal Security Team
Out of scope:
- Sending reports from automated tools without verifying them will immediately disqualify the report.
- Automated scanning of any kind.
Valid issues for Drupal.org are credited below once fixed.
As a non-profit association supporting an open source project, the Drupal Association is not currently able to support a bug bounty program for Drupal.org, or for the Drupal software itself. We have no funds available for bug bounty payments at this time.
From time to time, with the aid of sponsors, we are able to run short-term bounty programs, and when those are possible we will list them here.
If you are a security researcher, we request that you follow responsible disclosure best practices. Please avoid looking to compromise any actual user data. Please use your own test accounts, or reach out to the Drupal.org team to ask for a development site for testing.
Irresponsible use or disclosure of vulnerability information or confidential data may result in the appropriate sanctions under local and international law.
Thank you for reporting Drupal.org issues
This list is incomplete, let us know if you reported an issue in 2018 or earlier and would like to be listed.
- dr34m14 reported a Reflected Cross-Site Scripting (rXSS) issue, which was fixed 27 Dec 2024
- xurizaemon from Catalyst IT reported an information disclosure issue, which was fixed 19 Oct 2023
- Mohamed Haroun reported a subdomain takeover issue, which was fixed 17 Oct 2023
- Mohamed salmaan reported a CORS configuration issue, which was fixed 7 Oct 2021
- bonus reported an information disclosure issue, which was fixed 7 Oct 2021
- dpi reported a cache leaking issue with our upgrade from GitLab 13.x to 14.x, which was fixed 10 Aug 2021
- Harinder Singh(S1N6H) -LinkedIn- reported an issue with CDN purging, which was fixed 27 Jun 2021
- Muhammad Arslan Kabeer reported a clickjacking issue, which was fixed 14 Dec 2020
- ageek reported an information disclosure issue, which was fixed 13 Aug 2020
- Demon876 reported a login XSRF issue, #1803712-16: Allow form tokens to be used on anonymous forms in some cases, which was fixed 16 Aug 2019
- Sam Becker (Sam152) reported a header leak issue in security.drupal.org, which was fixed 9 Aug 2019
- Yonatan Offek (poiu) reported an XSS issue in bluecheese, which was fixed 11 Feb 2019
Drupal Project Bug Bounty Programs
If you are interested in sponsoring a bug bounty program for Drupal.org or Drupal itself, please contact us at help@drupal.org.
If you think you have found a security issue, follow instructions for How to report a security issue with Drupal or a contributed project.
Past programs
This list is incomplete, it covers programs in 2019 and later.
- EU FOSSA 2 - The European Commission Free and Open Source Software Audit project announced a bug bounty program of 89,000 Euro to in 2019.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
