Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.

Install the latest version:

• If you are using Drupal 7, update to Drupal 7.102.
• If you are using Drupal 10.2, update to Drupal 10.2.11.
• If you are using Drupal 10.3, update to Drupal 10.3.9.

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

• Drew Webber of the Drupal Security Team

• Drew Webber of the Drupal Security Team
• Fabian Franz
• Juraj Nemec of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Dave Long of the Drupal Security Team
• Alex Pott of the Drupal Security Team

• Juraj Nemec of the Drupal Security Team
• Benji Fisher of the Drupal Security Team
• xjm of the Drupal Security Team

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.

Install the latest version:

• If you are using Drupal 10.2, update to Drupal 10.2.11.
• If you are using Drupal 10.3, update to Drupal 10.3.9.
• If you are using Drupal 11.0, update to Drupal 11.0.8.
• Drupal 7 is not affected.

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

• Drew Webber of the Drupal Security Team

• Drew Webber of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team

• Juraj Nemec of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Benji Fisher of the Drupal Security Team
• xjm of the Drupal Security Team

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.

This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.

Install the latest version:

• If you are using Drupal 10.2, update to Drupal 10.2.11.
• If you are using Drupal 10.3, update to Drupal 10.3.9.
• If you are using Drupal 11.0, update to Drupal 11.0.8.
• Drupal 7 is not affected.

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

• Drew Webber of the Drupal Security Team

• Drew Webber of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team

• Juraj Nemec of the Drupal Security Team
• Benji Fisher of the Drupal Security Team
• xjm of the Drupal Security Team

Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances.

Only sites with the Overlay module enabled are affected by this vulnerability.

Install the latest version:

• If you are using Drupal 7, update to Drupal 7.102
• Sites may also disable the Overlay module to avoid the issue.

Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed from Drupal core in Drupal 8.

• Cesar

• Cesar
• Greg Knaddison of the Drupal Security Team
• Matthew Grill
• Wim Leers
• Drew Webber of the Drupal Security Team
• Ra Mänd
• Fabian Franz
• Juraj Nemec of the Drupal Security Team

• Juraj Nemec of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• xjm of the Drupal Security Team

Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation.

As a result, a user may be able to register with the same email address as another user.

This may lead to data integrity issues.

Install the latest version:

• If you are using Drupal 10.2, update to Drupal 10.2.11.
• If you are using Drupal 10.3, update to Drupal 10.3.9.
• If you are using Drupal 11.0, update to Drupal 11.0.8.
• Drupal 7 is not affected.

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Updating Drupal will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.

• Wayne Eaker

• Wayne Eaker
• cilefen of the Drupal Security Team
• Kristiaan Van den Eynde
• Drew Webber of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team

• Juraj Nemec of the Drupal Security Team
• Benji Fisher of the Drupal Security Team
• xjm of the Drupal Security Team

Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.

Install the latest version:

• If you are using Drupal 10.2, update to Drupal 10.2.11.
• If you are using Drupal 10.3, update to Drupal 10.3.9.
• If you are using Drupal 11.0, update to Drupal 11.0.8.

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

• Jay Beaton

• Lee Rowlands of the Drupal Security Team
• catch of the Drupal Security Team
• Mingsong
• Juraj Nemec of the Drupal Security Team
• Dave Long of the Drupal Security Team
• Benji Fisher of the Drupal Security Team

• Juraj Nemec of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Welcome to the Event Impact Recap of DrupalCon Barcelona 2024. This year’s conference not only showcased the vibrant spirit of our global network but also highlighted the achievements and successes that emerged from this remarkable gathering. As we look forward to upcoming events in Singapore and Atlanta, let's take a minute to celebrate what we accomplished together in Barcelona!

At every DrupalCon, we unite the global Drupal community—crafted by the community, for the community. Our mission is to foster an inclusive environment where Drupal Certified Partners, Agencies, Marketers, End Users, Developers, Site Builders, and Community Organizers come together to train, learn, network, see old friends and make new ones, and grow their careers. We strive to create a vibrant space that celebrates collaboration and innovation, providing opportunities for personal and professional development.

Through shared knowledge, diverse perspectives, and active engagement, DrupalCon serves as a beacon for Drupal enthusiasts, empowering them to contribute to the future of open-source software. Together, we will shape the next generation of digital experiences, ensuring that Drupal continues to thrive, grow and innovate worldwide.

Key Highlights from DrupalCon Barcelona 2024

Attendance and Engagement

With 1,087 registered attendees and an impressive 96% check-in rate, DrupalCon Barcelona brought together a passionate community of Drupal enthusiasts and professionals. Notably, 307 participants received complimentary registrations (that’s 31%!) for their roles as speakers, scholarship recipients, or planners, reinforcing our commitment to inclusivity and accessibility.

Among the attendees, 27% were first-time DrupalCon participants, while 33.8% had attended four or more times. An impressive 79.1% of attendees expressed their intention to recommend DrupalCon to friends or colleagues, highlighting the event’s value.

Global Representation

DrupalCon Barcelona truly exemplified our global reach, with attendees from 66 countries across six continents. This diversity enriched our discussions and collaborations, showcasing the power of Drupal as a unifying platform.

Registrations Per Country

DriesNote and Starshot

A standout moment was the DriesNote, which attracted 810 attendees eager to learn about the future of Drupal CMS and the role of AI in expanding our marketplace. The insights shared during this session sparked lively discussions and innovative ideas.

The Starshot track and Makers and Takers tracks were immensely popular, with the top session, "Drupal AI: The Golden Era of the Web," drawing 520 attendees. These sessions not only highlighted cutting-edge topics but also fostered collaboration and knowledge sharing among participants.

Sponsorship Support

DrupalCon Barcelona 2024 was made possible by the generous support of our sponsors:

• Diamond Sponsors: 4
• Platinum Sponsors: 6
• Gold Sponsors: 3
• Silver Sponsors: 12
• Module Sponsors: 11
• Village Sponsors: 5
• Media Sponsors: 3
• Scholarship Sponsors: 3
• Total Sponsors: 30

In total, we had 30 sponsors whose commitment to the Drupal community was essential for the event and the overall community growth and success. Their support underscores the strength of our partnerships and shared goals.

Volunteer Contributions

The success of DrupalCon Barcelona was greatly aided by 208 dedicated volunteers, who contributed their time and talents across various roles—from session review committees and help desks to contribution monitors and photographers. Their hard work and enthusiasm were crucial in creating a welcoming and productive environment for all.

Looking Ahead

As we reflect on the achievements and connections fostered at DrupalCon Barcelona 2024, I feel optimistic about the future of Drupal. This event was not just a conference; it was a celebration of collaboration, knowledge sharing, and community spirit. 

I extend my heartfelt gratitude to everyone who contributed to this success—from attendees and volunteers to sponsors and organizers. Together, we can carry this momentum forward as we embark on the next chapter of Drupal's journey at DrupalCon Singapore, DrupalCon Atlanta, and beyond.

Here’s to continued growth, innovation, and the vibrant spirit of the Drupal community! I hope to see many of you in Singapore in December where we will be getting a sneak peek of the Drupal CMS, ahead of it’s release in January 2025; tickets are available on the DrupalCon Singapore website.

Welcome to the Event Impact Recap of DrupalCon Barcelona 2024. This year’s conference not only showcased the vibrant spirit of our global network but also highlighted the achievements and successes that emerged from this remarkable gathering. As we look forward to upcoming events in Singapore and Atlanta, let's take a minute to celebrate what we accomplished together in Barcelona!

At every DrupalCon, we unite the global Drupal community—crafted by the community, for the community. Our mission is to foster an inclusive environment where Drupal Certified Partners, Agencies, Marketers, End Users, Developers, Site Builders, and Community Organizers come together to train, learn, network, see old friends and make new ones, and grow their careers. We strive to create a vibrant space that celebrates collaboration and innovation, providing opportunities for personal and professional development.

Through shared knowledge, diverse perspectives, and active engagement, DrupalCon serves as a beacon for Drupal enthusiasts, empowering them to contribute to the future of open-source software. Together, we will shape the next generation of digital experiences, ensuring that Drupal continues to thrive, grow and innovate worldwide.

Key Highlights from DrupalCon Barcelona 2024

Attendance and Engagement

With 1,087 registered attendees and an impressive 96% check-in rate, DrupalCon Barcelona brought together a passionate community of Drupal enthusiasts and professionals. Notably, 307 participants received complimentary registrations (that’s 31%!) for their roles as speakers, scholarship recipients, or planners, reinforcing our commitment to inclusivity and accessibility.

Among the attendees, 27% were first-time DrupalCon participants, while 33.8% had attended four or more times. An impressive 79.1% of attendees expressed their intention to recommend DrupalCon to friends or colleagues, highlighting the event’s value.

Global Representation

DrupalCon Barcelona truly exemplified our global reach, with attendees from 66 countries across six continents. This diversity enriched our discussions and collaborations, showcasing the power of Drupal as a unifying platform.

Registrations Per Country

DriesNote and Starshot

A standout moment was the DriesNote, which attracted 810 attendees eager to learn about the future of Drupal CMS and the role of AI in expanding our marketplace. The insights shared during this session sparked lively discussions and innovative ideas.

The Starshot track and Makers and Takers tracks were immensely popular, with the top session, "Drupal AI: The Golden Era of the Web," drawing 520 attendees. These sessions not only highlighted cutting-edge topics but also fostered collaboration and knowledge sharing among participants.

Sponsorship Support

DrupalCon Barcelona 2024 was made possible by the generous support of our sponsors:

• Diamond Sponsors: 4
• Platinum Sponsors: 6
• Gold Sponsors: 3
• Silver Sponsors: 12
• Module Sponsors: 11
• Village Sponsors: 5
• Media Sponsors: 3
• Scholarship Sponsors: 3
• Total Sponsors: 30

In total, we had 30 sponsors whose commitment to the Drupal community was essential for the event and the overall community growth and success. Their support underscores the strength of our partnerships and shared goals.

Volunteer Contributions

The success of DrupalCon Barcelona was greatly aided by 208 dedicated volunteers, who contributed their time and talents across various roles—from session review committees and help desks to contribution monitors and photographers. Their hard work and enthusiasm were crucial in creating a welcoming and productive environment for all.

Looking Ahead

As we reflect on the achievements and connections fostered at DrupalCon Barcelona 2024, I feel optimistic about the future of Drupal. This event was not just a conference; it was a celebration of collaboration, knowledge sharing, and community spirit. 

I extend my heartfelt gratitude to everyone who contributed to this success—from attendees and volunteers to sponsors and organizers. Together, we can carry this momentum forward as we embark on the next chapter of Drupal's journey at DrupalCon Singapore, DrupalCon Atlanta, and beyond.

Here’s to continued growth, innovation, and the vibrant spirit of the Drupal community! I hope to see many of you in Singapore in December where we will be getting a sneak peek of the Drupal CMS, ahead of it’s release in January 2025; tickets are available on the DrupalCon Singapore website.

Join us THURSDAY, November 21 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits.  Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google doc: https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone. 

• Join the call: https://us02web.zoom.us/j/81817469653

  • Meeting ID: 818 1746 9653
    Passcode: 551681

  • One tap mobile:
    +16699006833,,81817469653# US (San Jose)
    +13462487799,,81817469653# US (Houston)

  • Dial by your location:
    +1 669 900 6833 US (San Jose)
    +1 346 248 7799 US (Houston)
    +1 253 215 8782 US (Tacoma)
    +1 929 205 6099 US (New York)
    +1 301 715 8592 US (Washington DC)
    +1 312 626 6799 US (Chicago)

  • Find your local number: https://us02web.zoom.us/u/kpV1o65N

• Follow along on Google Docs: https://nten.org/drupal/notes

View notes of previous months' calls.

Join us THURSDAY, November 21 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits.  Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google doc: https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone. 

• Join the call: https://us02web.zoom.us/j/81817469653

  • Meeting ID: 818 1746 9653
    Passcode: 551681

  • One tap mobile:
    +16699006833,,81817469653# US (San Jose)
    +13462487799,,81817469653# US (Houston)

  • Dial by your location:
    +1 669 900 6833 US (San Jose)
    +1 346 248 7799 US (Houston)
    +1 253 215 8782 US (Tacoma)
    +1 929 205 6099 US (New York)
    +1 301 715 8592 US (Washington DC)
    +1 312 626 6799 US (Chicago)

  • Find your local number: https://us02web.zoom.us/u/kpV1o65N

• Follow along on Google Docs: https://nten.org/drupal/notes

View notes of previous months' calls.

With the current Drupal CMS work tracks well on the way to delivering for v1, we're planning ahead to define what's next on the roadmap. We also have a few tracks that were already in progress for v1, but never formally announced.

As we move beyond the basics of a CMS, things get complicated quickly! So several of these tracks are somewhat open-ended, and likely will require multiple approaches or solutions.

Tracks already in progress

Project Browser

Project Browser is an ongoing initiative, to make it easy for site builders to find modules from within their Drupal sites, led by Leslie Glynn and Chris Wells from Redfin. After several years of foundational work, the functionality is now working with a live API endpoint from drupal.org providing the module information. 

Since Project Browser is a critical part of the builder experience for Drupal CMS, we're formally adding it as a work track to recognize that and ensure it is aligned with the product strategy and other work tracks. If you're looking for a way to contribute to Drupal CMS, join the #project-browser channel on Slack for the latest.

Workspaces as content moderation

Drupal core has long provided tools for configurable content workflows, via the Workflows and Content moderation modules. In the meantime, the Workspaces module has become stable, and provides a more scalable method for staging content changes. Experience Builder will require workspaces to provide true content staging, because within XB a user can make changes to a number of different components at once, and content moderation does not allow for this. But right now, the complexity of workspaces makes it challenging for the most basic content moderation use cases.

The team from Tag1 already had a plan to completely replace content moderation with workspaces, and have now committed to delivering this functionality for inclusion in Drupal CMS. The goal of this track is to provide an experience similar to content moderation, where you can edit a single entity and create a draft, using workspaces but without exposing this to the user. So under the hood, workspaces is providing the draft/forward revision, but the user has no direct interaction with the workspace.

Telemetry

Telemetry is a crucial part of modern software development to provide information about how real-world users interact with a software application. Drupal has not integrated a formal telemetry system in the past, but Drupal CMS is a great opportunity both to try a telemetry system, and to take advantage of the insight it provides to rapidly improve the product.

We formed a working group to look into options for telemetry for Drupal CMS and have an early proposal for this now. Ideally, we will include some basic capability in the initial release, but would like to recruit a track lead to oversee this work ongoing, after the initial release.

If you are interested in taking the lead on this track, please apply here.

New tracks we're recruiting for

Content import / migration

Enabling users of other platforms to easily migrate their sites to Drupal is critical to delivering on the Starshot strategy. Drupal's migration tools provide a robust foundation, but this is a huge task to undertake, and may require more than one approach. 

So this track may split off into several different efforts. For example, there may be a simple import solution for basic sites that have a structured data source. Another might offer a migration via site scraping. And another might provide a jumping off point for more complex migrations. Rather than prescribing the approach, we are open to all proposals.

If you are interested in proposing a solution for this, please apply here.

Tours

Drupal has long had the capability to add tours, which are guided overviews of the site interface, via the Tour module. These guided tours are practically universal in our competitor products, and will be key to onboarding new Drupal users.

Several Drupal CMS recipes have provided or plan to provide a tour of the functionality they provide. In order to ensure that the tours provided by Drupal CMS are consistently applied and executed, we are seeking a lead to oversee this aspect of the product. This role is non-technical in nature, and requires skills in user experience, training, content writing and product design. The aim with tours will be to use them only where necessary, and not as a workaround for other fundamental UX improvements.

If you are interested in taking the lead on this track, please apply here.

Identity management / SSO

In user interviews with a number of people in our target persona, they highlighted identity management and single-sign as a pain point with other platforms. Given Drupal's robust integration options, we feel this is an area where we can differentiate from our competitors, whose offerings may be more limited. But with flexibility comes complexity, and anyone who has tried to set up SSO in Drupal probably knows that it's not usually plug-and-play.

Part of the complexity is the wide range of providers, each with potentially different requirements. The Drupal CMS leadership team is currently undertaking an analysis of key integrations of all kinds, with a focus on user management, to formulate an approach to this that likely will open up one or more work tracks to build or refine the necessary functionality.

If you are interested in proposing a solution for single-sign on or identity management, please apply here.

Content translation tools

Drupal’s multilingual capabilities are robust, but there is an opportunity to make these tools even more accessible and efficient for content creators managing global audiences. This track focuses on enhancing Drupal’s translation and localization features to streamline content creation and support internationalization needs.

To achieve this, we could explore areas such as UX improvements to simplify translation workflows, AI-driven translation suggestions, integration with translation memories, notifications when content changes require re-translation, and more. Additionally, we can explore refining approval workflows and optimize the interface for managing multilingual content, making Drupal a more powerful, user-friendly platform for international sites.

If you are interested in proposing a solution for this, please apply here.

Front end design system

We are seeking strategic partners interested in designing and implementing a comprehensive design system to integrate with Experience Builder for Drupal CMS. The goal for this initiative is to create a modern and versatile design system that provides designers and front-end developers tools to accelerate their adoption of Drupal as their digital platform, by enabling them to easily adapt it to their own brand. This design system will enable content marketers to efficiently build landing pages and campaigns, allowing them to execute cohesive marketing strategies while maintaining the brand integrity.

More information on this track, including timelines and how to apply, is available in the full brief.

Conclusion

Each of these work tracks is aligned with the goals of the Starshot strategy, which aims to make Drupal CMS the go-to platform for marketers and content creators. 

The tracks we are recruiting for are not expected to be included in the initial 1.0 release of Drupal CMS. That said, development on these tracks could start soon, with target completion in the first half of 2025.

For those looking to apply or contribute, join us on Slack to connect with existing track leads or reach out to the Drupal CMS leadership team with questions. You can also follow developments in the Drupal.org issue queue.

The Drupal Association has published this guest blog on behalf of HeroDevs.

At HeroDevs, we’re no strangers to the importance of security—especially when it comes to open-source software. As the pioneers of securing deprecated open source software across various communities like AngularJS, Vue, and Spring, we’re excited to bring our expertise to the Drupal 7 ecosystem. We understand the challenges and vulnerabilities that come with maintaining legacy software, and our goal is to ensure your Drupal 7 websites remain secure, compliant, and fully functional for the long term.

Guaranteed SLA for Security and Compliance

When it comes to security vulnerabilities, having a guaranteed response is crucial for your business. HeroDevs offers a dedicated SLA that ensures your systems receive timely attention and resolution. Our service helps you stay compliant with important regulations such as FedRAMP, PCI, HIPAA, and SOC II. With HeroDevs, your business is backed by proactive security measures, so you never have to worry about delayed responses to critical security needs.

Reliable Terms & Conditions Throughout Your Subscription

We know how important stability and reliability are for businesses managing content management systems such as Drupal 7. That’s why our terms and conditions are mutually agreed upon and remain unchanged throughout your Subscription Term. With HeroDevs, you can rely on consistent, dependable support without the worry of unexpected changes to your agreement.

Guaranteed Subscription Term: No Termination for Convenience

Another aspect that sets HeroDevs apart is our Guaranteed Subscription Term. Unlike other providers, HeroDevs cannot terminate your subscription for convenience. This ensures that you receive full, uninterrupted service for the entire duration of your agreement, so you can have peace of mind knowing your Drupal systems are in safe hands for as long as you need them to be.

Warranties and Indemnification: Protecting Your Business

At HeroDevs, we stand behind the services we provide. Our subscription includes warranties and indemnification to ensure that the security services you receive are up to standard. Should anything go wrong, you’re covered—not just with fixes, but with assurances that keep your business protected.

Why Partner with HeroDevs for Drupal Support?

By choosing HeroDevs, you’re partnering with a team of security professionals with a proven track record across various open-source communities. We’re committed to helping your business meet compliance standards, avoid costly security incidents, and maintain seamless functionality—all with the added benefit of faster support and more secure systems.

Contact us to learn more about Drupal 7 NES.

The Summary

To ensure Drupal’s stability and independence, the project is managed through a well-established, transparent governance system. Dries Buytaert, the Founder and Project Lead, helped design a model that distributes power and prevents any single person or entity — even himself — from making unilateral decisions that could alter the project unexpectedly. The independent Drupal Association oversees Drupal.org and other key infrastructure, free from commercial pressures. This approach ensures that Drupal.org is reliable and creates a fair playing field for all contributors, embodying true open-source leadership.

Just as the Drupal software has grown and changed significantly over its 23-year history, so has its governance. And, while there’s always room for improvement, it is safe to say that Drupal’s seasoned governance is what allows it to be one of the largest, independent open source projects in the world. 

The Detail

Dries Buytaert, as the founder and project lead, ultimately guides the direction of Drupal, and is responsible for shaping the project’s philosophy and core principles. 

While Dries started Drupal on his own, he has helped evolve the governance model over the years to be mature and resilient.  To help govern the project's technical aspects, Dries established the core committer team and other supporting groups. To  oversee non-technical areas, he co-founded the Drupal Association. These initiatives were intentional efforts to scale and strengthen Drupal’s governance.

On the technical side, the governance model for Drupal core is very mature, as described in the Drupal Project Governance. Technical decision-making is distributed among the core committers and other maintainers, promoting a transparent, structured, and collaborative approach to managing Drupal core.     

Many other aspects of Drupal governance are managed by the Drupal Association, which is a U.S. 501(c)3 nonprofit organization formed in 2008 to support the Drupal project and the Drupal community.  I am currently the Chief Executive Officer of the Association.  Our mission is to drive innovation and adoption of Drupal as a high-impact digital public good, hand-in-hand with our open source community.  A fundamental obligation of the Drupal Association is to ensure that Drupal is available to anyone, anywhere in the world free of charge.  We primarily accomplish this task through Drupal.org.

The Drupal Association is a bona fide non-profit organization (not a pass-through), with assets of just over $3 million and an operating budget of over $4 million. We publish our finances annually (see: Find the reports in the Accountability section of D.org).  The Association is not controlled or funded by any single entity nor does it pass revenues onto another entity.  The Association’s revenue comes from hundreds of organizations and thousands of individuals.  No single financial contributor accounts for more than 10% of our revenue. This diverse support base prevents any one entity from having too much influence.

The Drupal Association employs a full-time team of 19 professionals located throughout the world.  These people include engineers, marketers, accountants, communication staff, and program administration team members.  I say all this to demonstrate that we have the capacity to legitimately, and independently, carry out our mission.

The Drupal Association owns and controls important components of the Drupal ecosystem that allow Drupal to be one of the largest independent FOSS projects in the world.

The Drupal Association owns and/or controls the infrastructure that powers Drupal.org.  The Drupal Association has complete control over who accesses Drupal.org, how they access it, and what they can do when accessing it.  These are covered by our Terms of Service.

In administering Drupal.org, the Drupal Association controls a number of services, including:

• The database of Drupal.org users/project contributors
• A self-hosted GitLab instance that includes all of the Drupal code repositories for core and contrib, testing with GitLab CI and documentation through GitLab Pages
• Drupal software packaging (the actual .zip and .tar.gz files containing Drupal code)
• Drupal Updates (the Updates.xml feed, Automatic Updates endpoint, Secure Signing server, and Packages.Drupal.org- the composer endpoint for Drupal projects).
• The Drupal namespace on GitHub
• The Drupal namespace on Packagist
• The Drupal namespace on NPM
• The Drupal Infrastructure namespace on gitlab.com (separate from our self-hosted instance)
• The contribution credit system
• Usage data about Drupal core and extensions

The Drupal Association also owns and controls the primary means by which the community communicates and gathers.  We organize DrupalCons and manage Drupal Slack.  We issue The Drupal Association Newsletter and TheWeeklyDrop (together with Bob Kepford).  We control and manage Mastodon, X/Twitter, YouTube, LinkedIn (Drupal, Drupal Association, Drupal Jobs), Facebook, Instagram, and TikTok.

Drupal has the Maker/Taker Problem that nearly all open source projects face.  There are companies that profit off Drupal who don’t give back to help maintain the project.  The Drupal Association has chosen to address this issue by restructuring our Drupal Certified Partner program to focus exclusively on those companies that give back to the community.  The goal is to incentivize the creation of a culture of contribution within companies that work in Drupal that provide the Drupal Project with sufficient resources to innovate and grow.  There is always work to be done in creating a more equitable program, but it is beginning to work as we have more than doubled the number of Drupal Certified Partners in the past 15 months.

The Drupal Association is governed by a 12-person Board of Directors that meets several times a year, including two public meetings at DrupalCons.  Nine directors are selected by a Nominating Committee of the board and two directors are elected by members of the Drupal Association.  The final seat is the “Founding Director”.  This is a voting seat that can only be filled by Dries Buytaert.  Like all board seats, this is an unpaid, voluntary role that carries with it a single vote on the board.  It has to be approved annually by the Board of Directors. Except for the trademark licensing, the Drupal Association has no contracts or agreements with Dries Buytaert or the Drupal Project, and Dries receives no funding from the Drupal Association or its operation of Drupal.org.

Dries Buytaert owns the trademark “Drupal”.  He has transparently communicated the Drupal Trademark and Logo Policy by which these are governed.  Under the policy, any changes to the policy go into effect sixty (60) days after publication.  Dries Buytaert also owns the domain names “drupal.org”, “drupal.com” and “drupalcon.org”.

Dries has granted the Drupal Association an exclusive license to use “Drupal”, “Drupal.org”, and “DrupalCon” and a non-exclusive license to use Drupal for non-commercial uses.  This license allows the Drupal Association to support the Drupal Project by providing the infrastructure to host and maintain the official version of Drupal and to organize its contributors.  It also allows the Association to support the Drupal Community in their work with Drupal.

The net effect of this arrangement is that Dries Buytaert retains ultimate control over what software can be named “Drupal” and what website can be named “Drupal.org.”  He can thus ensure that any software that calls itself “Drupal” or website that uses “Drupal.org” conforms with his vision.  This would likely cause the Drupal Association to fork the software and maintain it under a new name and url.  The high cost of such an action to both parties makes this option highly unlikely and unable to execute quickly.

What the trademark does not allow him to do is to block any person or organization from using any component of Drupal core or any modules housed on Drupal.org.  Those decisions are the sole discretion of the Drupal Association.  To date, we have exercised this authority in a very limited manner to protect and safeguard the website and its content from attacks and misuse.

Twenty-three years ago, Dries chose to release Drupal under an open-source license, inspiring tens of thousands to build careers and champion an Open Web. However, fulfilling this vision required more than just a General Public License. By creating the Drupal Association, setting up Drupal core's governance, and licensing the trademark, Dries ensured Drupal remained open-source without commercial entanglements, securing a strong, independent foundation.

Along with Dries Buytaert and many contributors, the Drupal Association is focused on the future of Drupal (see: Starshot Initiative). How can we support its adoption through marketing and create sustainable revenue streams for Drupal to flourish?  These are tough questions that confront many open source projects.  Our governance allows us to move forward in this work with great certainty.

If you are paying close attention to the Drupal CMS roadmap, you may have noticed that our focus has mostly been on CMS features and the administrative user interface. Many people have asked: What about themes?

Drupal CMS will initially ship with Olivero, which is the default theme for Drupal core in the Standard profile. Of course, Experience Builder will completely change the way we build sites, and that includes support for design systems and single-directory components. In order to support this initially, the Starshot Demo Design System was developed (very quickly!) to show how design systems can be integrated with XB. We will also develop some components for Olivero so that Drupal CMS and eventually core have something to demo with XB.

Now, we are planning for what comes next. So we are seeking a strategic partner to collaborate on designing and implementing a comprehensive design system for our post-v1 integration with Experience Builder for Drupal CMS. 

The goal for this initiative is to create a modern and versatile design system that provides designers and front-end developers tools to accelerate their adoption of Drupal as their digital platform, by enabling them to easily adapt it to their own brand. This design system will enable content marketers to efficiently build landing pages and campaigns, allowing them to execute cohesive marketing strategies while maintaining the brand integrity.

Since it’s a big commitment for anyone, we are dividing the scope of work between design and implementation. We welcome applicants with expertise in one area who wish to specialize, as well as those who are equipped to handle the complete lifecycle of the design system, from initial design to full technical implementation and integration.

For more details, including information on how to apply, check out the full brief.

Interested partners should submit the following by 6 December, and we will announce the selected proposal(s) the week of 16 December. If you have questions before that, we’re hosting a webinar on 19 November at 15:00 UTC. You can also find us on Slack in #starshot or #experience-builder in the meantime.

We are looking forward to seeing your proposals!

MARINA BAY, Singapore, 6 November, 2024—Drupal CMS, the groundbreaking package built on Drupal core with the marketer in mind, will launch on 15 January 2025. Conference attendees at DrupalCon Singapore 2024 will have the exclusive opportunity to be the first to learn more about Drupal CMS directly from Drupal’s founder, Dries Buytaert.

Learn how Drupal CMS will enable site builders without any Drupal experience to easily create a new site using their browser, marking one of the most significant launches in Drupal history.

Alongside the Drupal Association leadership team, Dries will unveil key features of Drupal CMS, making DrupalCon Singapore 2024 a can’t-miss event for anyone in the Open Source community. Occurring one month before the release of Drupal CMS, DrupalCon Singapore 2024 is an exclusive opportunity for attendees to join in the conversation surrounding Drupal CMS directly with its creators.

“The product strategy is for Drupal CMS to be the gold standard for no-code website building,” said Dries. “Our goal is to empower non-technical users like digital marketers, content creators, and site-builders to create exceptional digital experiences without requiring developers.”

DrupalCon Singapore 2024, 9-11 December 2024, is a premier gathering of Drupal and Open Source professionals. Over three days, the conference will showcase the latest Drupal trends, facilitate networking opportunities, and offer a platform for thought leadership in the Open Source landscape.

Key features of DrupalCon Singapore 2024 include:

• Keynotes, sessions, and panels: The Driesnote and Drupal CMS Panel are two highlights amongst a packed schedule of insightful sessions.
• Contribution Day: Contribution Day is where attendees grow and learn by helping to make Drupal even better. Giving back to the project is crucial in an Open Source community, as the Drupal project is developed by a community of people who work together to innovate the software.
• Birds of a Feather (BoFs): BoFs provide the perfect setting for connecting with like-minded attendees who share your interests.
• Splash Awards: Celebrate the work and creativity of the global Drupal community with this awards ceremony, which recognises outstanding projects built with Drupal.
• Networking Opportunities: Network with experts from around the globe who create ambitious digital experiences.

Register for DrupalCon Singapore 2024 at https://events.drupal.org/singapore2024 and join the next chapter in Drupal’s evolution!

The Drupal Community Working Group is pleased to announce that nominations for the 2025 Aaron Winborn Award are now open. This is your chance to recognize someone for their service, integrity, kindness, and above-and-beyond commitment to the Drupal community.

In addition to receiving a physical award, winners of the award also receive a scholarship and travel stipend for them to attend DrupalCon North America and recognition in a plenary session at the event.

Nominations are now open to everyone in the Drupal community! Whether someone has made an impact locally, regionally, or across the globe, we want you to nominate them. If you know someone who’s made a meaningful difference, big or small, now’s the perfect chance to recognize their contributions.

The Aaron Winborn Award was established to honor the legacy of Aaron Winborn, a long-time Drupal contributor whose battle with Amyotrophic Lateral Sclerosis (ALS), also known as Lou Gehrig's Disease ended on March 24, 2015. Inspired by a suggestion from Hans Riemenschneider (https://www.drupal.org/u/nonprofit), the Community Working Group, with the support of the Drupal Association, created this award to celebrate individuals who embody Aaron's spirit and dedication.

Nominations are open until Friday, February 1, 2025.
A committee consisting of the Community Working Group members (Conflict Resolution Team) as well as past award winners will select a winner from the nominations.

* Current members of the CWG Conflict Resolution Team and previous winners are not eligible for winning the award.

Previous winners of the award are:

• 2015: Cathy Theys
• 2016: Gábor Hojtsy
• 2017: Nikki Stevens
• 2018: Kevin Thull
• 2019: Leslie Glynn
• 2020: Baddý Breidert
• 2021: AmyJune Hineline
• 2022: Angie Byron 
• 2023: Randy Fay 
• 2024: Mike Anello

Now is your chance to be heard, show, support, and recognize an amazing community member!

Please submit a nomination today! 

Call for Creators!

If you or someone you know is an amazing creator who’d like to help craft one of our future Aaron Winborn Awards, please reach out to the Drupal Community Working Group.

Drupal 11.1.0 and 10.4.0 release dates

Drupal core typically has a minor release window the second week of December. This is to provide enough time after PHP and Symfony's release dates for core compatibility to be updated, but still far enough before the major end-of-year holidays to avoid interfering with vacations and travel.

This year, DrupalCon Singapore is scheduled for the same week as the minor release. Normally, we would avoid having a minor release the same week as a DrupalCon, but in this case we are unable to move the release date. We will aim to release 11.1.0 and 10.4.0 later in the week to avoid having the release during the actual days of the conference. The release window is now December 12-13 UTC.

Drupal 11.0 and 10.3 will continue to have security coverage until June 2025. So, it is safe for site owners to wait until January 2025 or later, if necessary, to update their sites.

Drupal 11.1 alpha phase begins October 28

In preparation for the minor release, Drupal 11.1.x will enter the alpha phase the week of October 28, 2024. Core developers should plan to complete changes that are only allowed in minor releases prior to the alpha release. The 11.1.0-alpha1 deadline for most core patches is October 28, 2024.

The 10.5.x release branch of core will be created for the next maintenance minor release.

• Developers and site owners can begin testing the alpha after its release.

• The 11.1.x release branch of core will be created before the alpha is tagged. Future feature and API additions will continue to be targeted against 11.x.

• After 11.1.x is branched but before 11.1.0-alpha1 is tagged, alpha experimental modules will be removed from the 11.1.x codebase. Their development will continue in 11.x only.

• Following the release of Drupal 11.1 and 10.4, only security issues will be fixed in Drupal 11.0 and 10.3. Additionally, Drupal 10.2 will become end-of-life (EOL).

• During the alpha phase, core issues will be committed according to the following policy:

  1. Most issues that are allowed for patch releases will be committed to 11.1.x and 10.4.x. Such issues may also be committed to 11.0.x and 10.3.x until the final normal bugfix releases of 11.0 and 10.3 on December 4, 2024.
  2. Most issues that are only allowed in minor releases will be committed to 11.x only. (Such issues may be released in 11.2 or another future minor.). A few strategic issues may be backported to 11.1.x, but only at committer discretion after the issue is fixed in 11.x (so leave them set to 11.x unless you are a committer), and only up until the beta deadline.
  3. Most issues that are allowed in maintenance minor releases will be committed to 11.x and 10.5.x only. A few strategic issues may be backported to 11.1.x and 10.4.x, but only at committer discretion after the issue is fixed in 11.x (so leave them set to 11.x unless you are a committer), and only up until the beta deadline.

Roughly two weeks after the alpha release, the first beta release will be created. All the restrictions of the alpha release apply to beta releases as well. The release of the first beta is a firm deadline for all feature and API additions. Even if an issue is pending in the Reviewed & Tested by the Community (RTBC) queue when the commit freeze for the beta begins, it will be committed to the next minor release only.

The release candidate phase will begin the week of November 25.

Security support of Drupal 10 and 11

See the Drupal core release process overview, the Drupal core release schedule, allowed changes during the Drupal 10 and 11 release cycles, and Drupal 10 and 11 backwards compatibility and internal API policy for more information.

An effective Request for Proposals (RFP) or Call for Proposals (CFP) not only outlines the goals and expectations of your project but also defines the framework within which potential vendors must operate. It goes beyond simply finding the right vendor to build your website or deliver a content management system (CMS) tailored to your needs—it's an opportunity to establish a partnership, support open source software, and contribute to a vibrant community ecosystem.

For many organizations, choosing open source software isn’t just a preference—it’s a strategic imperative. The advantages of free and open source software (FOSS) include cost savings, solutions tailored precisely to your organization’s needs, and robust security, strengthened by a vigilant community.

In this blog post, we’ll guide you through crafting an RFP that prioritizes open source solutions while tapping into the expertise of Drupal Certified Partners. We also offer a free, downloadable RFP template to help streamline the process, ensuring your project specifications attract top-tier vendors dedicated to innovation and contributing to the Drupal community.

The advantages of open source software

• Cost savings: Open source eliminates hefty licensing fees, allowing organizations to allocate resources more efficiently. While there may be costs associated with customization and maintenance, the overall financial burden is often significantly lower.
• Flexibility and extensibility: Open source platforms can be tailored to meet specific organizational needs. With access to the source code, developers can modify and extend functionalities without waiting for vendor updates or feature requests.
• Enhanced security: Open source communities actively monitor and address security vulnerabilities. The collaborative nature ensures that security patches and updates are promptly developed and deployed. 
• Alignment with organizational values: Open source promotes transparency, collaboration, and community-driven development. Organizations that prioritize these values find open source solutions to be a natural fit.
• Case study: Swiss Government's open source mandate

A notable example of strategic open source adoption is the Swiss government's recent decision to prioritize open source solutions in public sector projects. This mandate not only underscores the benefits of open source but also sets a precedent for other governmental bodies. By embracing open source, the Swiss government aims to enhance transparency, reduce costs, and foster innovation within its digital infrastructure.

Finding the ideal service provider

Finding the right service provider that aligns with your vision is crucial to the success of your project. The right partner not only brings the necessary technical expertise but also understands your long-term goals, ensures smooth collaboration, and shares your commitment to quality and innovation. A well-aligned service provider becomes a trusted partner, invested in both your immediate needs and your future growth.

Here's why partnering with Drupal Certified Partners makes a significant difference:

• Rigorous certification process: The Drupal Association evaluates potential partners based on their contributions to Drupal core, contributed modules, and themes. This ensures that only the most dedicated and skilled agencies receive certification.
• Proven track record: Certified Partners have a history of successful Drupal implementations, showcasing their ability to handle complex projects with efficiency and expertise.
• Commitment to the community: These partners actively contribute to the Drupal project through code contributions, module development, and participation and sponsorship in Drupal events and initiatives.
• Verifiable capabilities: The Drupal Association provides verified letters of recommendation for Certified Partners to include in RFP responses, giving procurement teams trusted verification of their skills and commitment to the Drupal ecosystem.

Certified partners are contributing experts

When drafting your Request for Proposals (RFP) or tender, specifying a preference for officially certified implementation partners — such as Drupal Certified Partners — can dramatically elevate the quality of vendor responses. Drupal Certified Partners are distinguished not only by their expertise in deploying Drupal solutions but also by their active contributions to the Drupal project itself. This dual commitment ensures that these partners are intimately familiar with the latest developments in Drupal, enabling them to deliver solutions that are both innovative and sustainable. Moreover, by requiring a Drupal Certified Partner, organizations directly support vendor involvement with the open source community, fostering a collaborative ecosystem that drives continuous improvement and long-term success.

The flywheel effect: How partner contributions benefit everyone

Choosing a Drupal Certified Partner also supports the broader Drupal project by empowering top contributors to maintain and enhance the platform that underpins your organization's digital presence. These partners often invest more resources into contributing to Drupal core, contributed modules, and themes than they do into traditional marketing efforts. This investment creates a "flywheel" effect: as partners develop new features or improvements to meet your specific needs, these enhancements are reintegrated into the Drupal community, benefiting all users and ensuring the platform remains cutting-edge and secure. You benefit as well, though, as the community jumps on board to test, extend, maintain, and update the code that you (through your partner) contributed. This makes your code better in the long run at no additional cost to you.

About the Drupal Certified Partner program

The Drupal Association, a nonprofit organization dedicated to promoting and sustaining the Drupal project, plays a crucial role in identifying and certifying these top-tier partners. Through evaluation of their contributions to Drupal core, contributed modules, and themes, the Drupal Association designates certain agencies as Drupal Certified Partners. This certification not only recognizes their technical prowess and commitment to the Drupal ecosystem but also provides procurers with verified attestations of their capabilities, simplifying the vendor selection process.

Testimonials and success stories

Organizations that have partnered with Drupal Certified Partners consistently report higher satisfaction levels, smoother project executions, and more robust and scalable solutions. These partners bring not only technical expertise but also a collaborative spirit that aligns with the open source philosophy, ensuring that projects are both innovative and sustainable.

Crafting your RFP for success

An effective RFP not only clearly defines your requirements and expectations, it also sets the boundaries within which potential vendors must operate. For example, specifying the need for mobile-responsive design ensures all proposals meet modern accessibility standards, while outlining strict data security requirements guarantees vendors prioritize protecting sensitive information. Additionally, specifying a preference for open source software like Drupal can impact your project's flexibility, cost, and alignment with organizational values.

Here's how to structure your RFP to prioritize open source solutions and Drupal Certified Partners:

1. Define project goals and objectives

   • Clearly outline what you aim to achieve with your website redesign or CMS selection.

   • Include specific functionalities, design preferences, and performance metrics.

2. Specify open source requirements

   • Highlight the importance of using open source software.

   • Explain how open source aligns with your organization’s values and strategy.

3. Mandate Drupal Certified Partner certification

   • State that only proposals from Drupal Certified Partners will be considered.

   • Provide information about the certification and its significance.

4. Outline evaluation criteria

   • Detail how proposals will be assessed, focusing on contributions to Drupal.

   • Include criteria such as technical expertise, project management skills, and community involvement.

5. Provide a clear timeline and budget

   • Offer realistic deadlines and budget ranges.

   • Allow flexibility for high-quality vendors to propose innovative solutions.

6. Include legal and compliance requirements

   • Address legal considerations such as data protection and accessibility standards.

7. Offer resources and support

   • Provide access to your organization’s content, branding guidelines, and technical documentation.

   • Encourage collaboration and ongoing communication.

Jumpstart your RFP with a ready-made template

The Drupal Association is proud to offer a downloadable RFP template tailored for open source website design and CMS selection projects. This template includes all the essential sections outlined above, along with customizable fields to suit your organization's unique needs. The template is also applicable to Request for Quotation (RFQ), Invitation to Bid (ITB), Request for Information (RFI), and Request for Tender (RFT) procurement processes. 

Download the open source RFP template

Many thanks to Vardot, a Drupal Certified Partner, for providing the inspiration for this post and the initial version of the template!

Strategies for evaluating vendor proposals

Evaluating vendor proposals can be daunting, especially when faced with lengthy submissions or a high volume of responses. A common approach is to use a weighted scoring system to compare proposals based on key criteria while ensuring your priorities and values are accounted for. Keep in mind that the best fit may not meet every criterion perfectly, but a vendor who aligns with your organization’s values and fully understands your vision can offer the greatest long-term success. 

Use these strategies to ensure a thorough assessment:

• Alignment with goals: Make sure the proposal clearly aligns with your project’s goals and objectives.
• Technical expertise: Assess the vendor's technical capabilities and experience with Drupal. Have they successfully delivered projects for clients similar to yours in size and industry? Looks for published case studies to verify their claims.
• Community contributions: Check the vendor's contributions to the Drupal project. Their involvement can demonstrate both commitment and expertise. From the vendor's page on Drupal.org, you can see if they have contributed to or maintained modules that may be essential to your project.
• References and case studies: Review client testimonials and case studies to gauge the vendor's reliability and quality of work. Drupal.org publishes case studies for Drupal Certified Partners to showcase their success stories.
• Long-term support: elect vendors who offer ongoing support and maintenance to keep your website secure, up-to-date, and adaptable to future needs.

Get the results you want with a targeted RFP

A well-crafted RFP is the foundation of a successful website redesign or CMS selection project. By prioritizing open source solutions and requiring Drupal Certified Partner certification, you ensure that your project is handled by capable vendors committed to both your success and the open source community. This approach not only enhances the quality and sustainability of your project but also supports the broader Drupal community, fostering an environment of continuous improvement and innovation.

Ready to create an effective RFP that attracts top-tier Drupal Certified Partners? Download our comprehensive RFP template today and take the first step towards a successful, sustainable, and community-driven project.

Start your project with confidence with this RFP Template!