Documenting Security/CVE process

Open on Drupal.org →

Created on 13 August 2025, about 2 months ago

Problem/Motivation

Coming into the process newly, I undertook documenting the process of obtaining a new CVE with *lots* of help from Damien. There were some interesting wrinkles along the way. I'm not promising I caught everything so this issue to solicit feedback...is it accurate? Did I miss something?

Obtaining a Drupal CVE

Even though commenting in the document is on, please favor adding comments below so we can all follow along more easily.

Please see the diagram in the document, too.

Thanks in advance!

📌 Task

Status

Active

Version

1.0

Component

Documentation

Created by

🇺🇸United States aangel

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @aangel
Comment about 2 months ago →
🇺🇸United States aangel
Comment about 2 months ago →
🇺🇸United States cmlara
Re title as this appears to be focused on D7 ES providers currently.

Much of this would appear to relate to contractual agreement the D7ES providers have with the DST and Drupal CNA and as such normal rules may not apply.

The Drupal Security Team operates under the Red Hat Root CNA, which is the preferred Root CNA for most open-source projects.
Considering a RedHat only became a root in 2022 is this actually true ? The Drupal CNA predates the Red Hat Root. The CVE website only lists MITRE as their top level root, so that does leave ambiguity about if they have a parent root.

MITRE was used as the CNA-LR. It’s not clear to me if Red Hat was asked first or if the requester went directly to MITRE

Red Hat only became a CNA-LR in February of 2025, they would not have been capable of accepting the report in 2024.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024