[development] Think there's a security problem in your module? Here's what to do.

[Derek Wright]

Perhaps the docs are too detailed, confusing, hard to find, or  
obscure.  I'd like to try in short, plain english to explain what to  
do when you think you've found a security problem in your module:

a) Either you think you find a potential security problem in your  
module or a user reports a vulnerability to you.

b) You *immediately* send email to security at drupal.org about it to  
let us know.

c) You try to analyze the vulnerability to the best of your  
abilities, and if possible produce a patch that fixes it.

d) DO NOT COMMIT YOUR PATCH YET.

e) DO NOT MAKE A RELEASE YET.

f) DO NOT MARK YOUR RELEASE AS A "SECURITY UPDATE" YET.

g) Send your patch to security at drupal.org.

h) Wait for the security team to reply.

i) Do what the security team advises you to do.

j) If/when the security team thinks your vulnerability is real, the  
fix is complete, and a security announcement (SA) is ready to go out,  
we'll tell you.

k) Only once an SA is ready for your vulnerability and the security  
team is ready to coordinate a release, THEN (and only then) do you  
commit your patch to all relevant branches, tag new releases, create  
release nodes, and mark them as "Security update" releases.

l) The security team can then publish your release nodes (which  
doesn't happen automatically if they're flagged as a "Security  
update") and send out the SA, at which point your users will know  
they need to upgrade (both via the security announcement email lists  
and RSS feeds, and via the update_status module).


Make sense?
Do you really understand the process?
Should I explain why any of these steps are like this?
What else could be done, either via docs or project* UI, to make this  
clear?

Relevant issue:
http://drupal.org/node/210497
"add extra validation to release node form for security update releases"

Relevant handbook docs:
http://drupal.org/security-team

Thanks,
-Derek (dww)