Proposed Security Focused Sub-Team: Drupal Security Media Relations

Hello,

We've had some discussions so far with a few security interested people and a few press-interested people and have nearly formulated our plan. If anyone would like to help provide feedback while its in draft form please ping me or comment here and I'll get in touch with a link.

The group's next step is to get agreement from the Security Team for our proposed processes and practices.

Once that's done I'll publish the draft here to get feedback from anyone.

Thanks!

Overall I think working with the press can be a very good thing for several reasons:

• SA's, while detailed and informative, and not really friendly/accessible to the population at large. News articles and/or press releases can be more readable and help provide context as to the importance and impact of a particular issue.
• While we often claim that Drupal cares a lot about security, we really don't actively promote this. In fact, if you're not security minded and actively looking for this information, you could easily miss it completely except for the occasional Drupal core security release on d.o.
• By working with the press, we will be in a better position to maintain an accurate message. There is nothing worse than a security item getting the wrong type of media hype (e.g. heart bleed).
• The more awareness we can bring to our team, the more people we can potentially have join and the more acknowledgement we can provide to those that have really put in a lot of time and effort as volunteers.
• For highly critical vulnerabilities (i.e. situations where it's a race to disclose and get people to upgrade prior to exploitation), the additional visibility should help speed up adoption.

In terms of formulating the plan, I can be involved but my available bandwidth is fairly limited at the moment. If there is enough interest though, I think this would be a good thing.

Best,

-Rick

Based on this public conversation and the conversations within the security team mailing list, it seems that there is a general consensus that this can be a good thing if executed correctly. The only dissenting opinions that were voiced revolved around whether on not this would be valuable enough to pursue and whether or not the team had the bandwidth to pursue it. However, given the motivation and willingness of some members (myself included) to make this happen, I don't think those concerns are strong enough to justify not move forward on this.

Therefore, I conclude that there is enough buy in from the team to move forward on this. If I'm mistaken or out of line in that assertion, please speak up so we can hash that out.

If I am correct, then the conversation should re-focus onto execution. Given the core release window of next week (should it be needed), I think we should focus on defining the next tasks as well as the protocol for managing this in conjunction with the security advisories.

I propose the following:

• 1-2 weeks prior to a Drupal Core security release window, a member of the Drupal security team reviews the Drupal core issues that are currently slated to be released.
• If there is one or more issues that are Highly Critical (https://www.drupal.org/security-team/risk-levels), a task is created to generate the briefing emails and/or talking points.
• Approximately 24 hours prior to the release, the trusted partners in the press are provided the information along with the request to embargo the publication until the SA is released.
• Members of the team willing/able to interact with and answer any followup questions with the press would provide their contact information and be available during this embargo window.

Not trying to overcomplicate this if a simpler approach would suffice. I'm just eager to get the ball rolling and breaking this down into next actions makes this more likely to get inspire momentum on this.

-Rick