Drupal

If you discover a vulnerability in Drupal core or contributed project (module, theme, or distribution) that is covered by the Security Advisory policy, keep it confidential. There are two ways to report:

1. Report directly on security.drupal.org (preferred)

Find the project on drupal.org related to the issue. Either [Drupal core](https://www.drupal.org/project/drupal) or look for [modules](https://www.drupal.org/project/modules/?filters=type%3Aproject_project%20im_vid_3%3A14&solrsort=sis_project_release_usage%20desc) or [themes](https://www.drupal.org/project/themes).
In the right sidebar of the project page is a link to '**Report a security vulnerability**' - click that link
That will take you to the Security Team's private issue tracker where your issue will be immediately incorporated into our workflow

2. Send an e-mail

Send an e-mail to [email protected].

Do not post in the public issue tracker or discuss it in IRC. The security team will investigate your report and work with you and the project maintainer to create a fix. When the issue is about a contributed module, the team coordinates with a module maintainer. When the fix is ready we will create a release and announce the fix to a wide audience.

Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Coordinating across time zones and work schedules can be time-consuming. We aim to fix issues within 1 months, but balance that with the available time of our volunteer team and the need to release high quality fixes.

Do not disclose the vulnerability to anyone else before the advisory is issued. If progress on fixing the issue stalls and it cannot be fixed in a mutually agreeable time, we will unpublish the releases and create a Security Advisory detailing the problem.

If the vulnerability is not covered by the Security advisory policy you can still report it via these channels, but it's also acceptable to post it directly to the project issue queue for that project.