Date: 2023-July-11Description: Beginning today, Drupal core issues reported to the Security Team with risk levels that are “Not Critical”, “Less Critical”, or “Moderately Critical” may be treated as bugs in the public issue queue, not as private security issues requiring a security advisory and CVE. This change is being made to allow these issues to be fixed more quickly via public issue queues.
Policy Change
The Security Team will use its discretion to handle some issues in public depending on the risk score, the severity of the impact, the difficulty to exploit, and any other mitigating factors.
We still encourage all security researchers to start by filing a private issue that can then be moved public later. Members of the Security Team also will sometimes unpublish a public issue and move it private as needed.
Drupal core issues with risk levels of “Critical” or “Highly Critical” will continue to be private security issues. Some issues