Profile picture
Rick Manelius, PhD @rickmanelius
, 12 tweets, 2 min read Read on Twitter
The recent SA-CORE-2018-004 and SA-CORE-2018-002 security advisories have sparked a lot of conversations in the Drupal community regarding all things security. IMHO, it's important to highlight several talking points to keep things in perspective.
1/Timing. In both cases, it is believed that the patches and releases occurred before any publicly known or widely used exploit. This is huge. This means the community had a marked advantage in addressing before mass exploits were attempted.
2/Responsible Disclosure. Individuals finding these vulnerabilities decided to work with the Drupal Security team rather than disclose publicly. This is huge. It allows the community the chance to address proactively versus reactively on a potential 0-day exploit.
3/Due Diligence. If you'll note on SA-CORE-2018-004, there were members of the security team that played a part in the additional research and testing. To me this highlights the team taking active measures versus waiting passively for external reports.
4/Level of Participation. Despite being a group of volunteers, you'll note that a dozen individuals helped fix and coordinate this issue. This is a non-trivial amount of eyeballs looking at the problem and effort spent reviewing/evaluating the remediation strategy.
5/Hard Decisions w/Level Headedness. While we would all like security releases to fit within nice timeboxes that minimize disruption, the team sometimes has to balance risk with factors like convenience and maximizing overall benefit to the community. This is not easy/trivial.
6/Hosting Providers. While it only represents a fraction of the overall Drupal install base, the fact that several key hosting providers quickly rolled out infrastructure-level protection significantly limited the overall exposure.
7/Feedback Loops. While not all details can be disclosed, anyone on the public side can clearly see that the security team has been taking and applying feedback on a regular basis to improve communication/releases of critical/highly critical issues.
8/Real Time Support. While it remains to be seen if it stays open, there was a Slack channel opened up for real-time questions/answers drupal.slack.com/messages/C2AAK….
9/Volunteers. An important reminder that many members of the Drupal Security team are volunteers. Appreciation can go a long way. Even better, if you're a company that employs a Drupal Security team member, allocating more company time would be well received.
10/Open Source. Security Advisories are not a bug, but a feature of open source. The codebase (like our community) is a shared responsibility.
End thread. Thank you for listening.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Rick Manelius, PhD
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!