Official policy over security issues in vendor code that doesn't affect Drupal?

DamienMcKenna's picture

I could not find an official policy over whether PSAs are to be made regarding security notices for vendor code that doesn't directly affect Drupal, though I'm sure this has happened lots of times over the years and will continue to happen in the future.

I suggest we over-communicate to the community and take the effort to release a PSA that states Drupal core is not affected on situations where vendor security updates do not affect Drupal. We could even have a template message to publish for these scenarios, then just update the specifics and it's done.


  1. If the group does not state that there isn't a security issue due to vendor code, people will question whether the lack of communication suggests there is in fact an issue. This communication gap will be filled with questions and doubt, potentially leading to FUD.
  2. An alternative would be to post a message to this group. Many more people will receive and read a PSA than would ever see a message to the group, so from the POV of more eyes seeing the message a PSA would work better.