Drupal is backed by a security team of over 30 people who are constantly working with the community to address security issues as they arise. Drupal practices "responsible disclosure". Full disclosure of vulnerabilities is made only when threat has been addressed and an update is available. Drupal.org maintains a security announcement mailing list and an RSS feed with the most recent security advisories.
Is open source software secure?
It depends. Is closed source software more secure than open source? Typically not for that reason. When it comes to security, close source is just a form of "security by obscurity", which experts generally agree fails as a primary security measure. There are many good articles on this heavily debated topic, but it really boils down to a few things, regardless of the source code being available.
- As more people look at source code, the likelihood of someone finding a vulnerability increases (the "many eyeballs" theory). Open source projects, especially large ones, give more opportunity for review.
- Do the people writing and reviewing code actually know how to find security vulnerabilities? Open source generally encourages peer review, which helps both coders and reviewers improve their skills.
- Patch distribution, which is an issue for everyone. Open source provides the option of patching a vulnerability immediately.
Opportunity without skills is sometimes the case with open source software. Skills without opportunity for review is often the case with closed source software. It goes both ways. Drupal however is a large project and does encourage peer review. Also, patch distribution follows a defined process with a consistent notification method. The increased security of using open source was cited as one reason the White House switched to Drupal. 1