Search...
Toggle theme

Drupal NES SLA

Service Level Agreement (SLA)

Included in Drupal 7 NES

As of September 23, 2024 included within a Drupal 7 NES Subscription are both Drupal Core, and Drupal Essentials, as discussed further below.

Drupal Core NES

On June 7th, 2023, the Drupal Association announced that Drupal 7 would reach End of Life on January 5th, 2025 and that effective immediately, there would be reduced support for moderately critical and lower-severity issues during this maintenance phase (“Long Term Support” or “LTS”). We will use commercially reasonable best efforts to provide support for Drupal 7 Core that meets the same level of support services provided during the LTS period by the Drupal Association. Additionally, we will provide a higher level of support through a 14 calendar day mitigation SLA for proven critical and highly-critical vulnerabilities.

When a reproducible vulnerability is reported and confirmed by our team (“Vulnerability”), our resolution process will follow similar standards to the Drupal Security Team Resolution Process including:

  • Confidentiality in reporting until remediation exists
  • Review of the Vulnerability and evaluation of impact on Drupal 7 core (including modules and themes)
  • Creation, review, and testing of security fixes
  • Communication with clients
  • Distribution of updates or advisories
  • Public reporting of the Vulnerability to appropriate authorities

Drupal Essentials NES (Module Support)

HeroDevs Never Ending Support for Drupal modules will follow similar standards to the Drupal Security team process. Our remediation coordination for Vulnerabilities will include Drupal 7 modules that are actively maintained, minimally maintained, and those seeking new maintainers or co-maintainers as of January 5, 2025.

Our resolution process will follow similar standards to the Drupal Security Team Resolution Process specifically including:

  • Confidentiality in reporting until remediation exists
  • Review of the issue and evaluation of impact on Drupal 7 and supported modules
  • Attempts to mobilize module maintainers to remediate the Vulnerability
  • Creation, review, and testing of security fixes where possible
  • Communication with clients
  • Distribution of updates
  • As a last resort, when no remediation is possible after maintainer communication as well as HeroDevs commercially reasonable best-efforts in remediation, we will issue an advisory with recommendations up to and including disabling the module

Drupal Essentials support coverage excludes custom-modules, modules which break due to 3rd party APIs, closed-source / closed-license modules or modules which were insecure or unmaintained as of January 5, 2025.

Common Specifications

  • Security risk levels will continue to be defined by the Drupal security risk calculator. Based upon the Drupal risk calculator, Vulnerabilities with scores.
    • Between 0 and 4 are considered Not Critical
      • Drupal 7 Core: 21 calendar day review and response
      • Drupal 7 Essentials: 21 calendar day review and response
    • 5 to 9 is considered Less Critical
      • Drupal 7 Core: 21 calendar day review and response
      • Drupal 7 Essentials: 21 calendar day review and response
    • 10 to 14 is considered Moderately Critical
      • Drupal 7 Core: 21 calendar day review and response
      • Drupal 7 Essentials: 21 calendar day review and response
    • 15 to 19 is considered Critical
      • Drupal 7 Core: 24-hour response, 48-hour investigation, 14 calendar day mitigation
      • Drupal 7 Essentials: 24-hour response, 48-hour investigation and maintainer communication, 21 calendar day mitigation or advisory
    • 20 to 25 is considered Highly Critical
      • Drupal 7 Core: 24-hour response, 48-hour investigation, 14 calendar day mitigation
      • Drupal 7 Essentials: 24-hour response, 48-hour investigation and maintainer communication, 14 calendar day mitigation or advisory
  • Our SLA response time will be based on the user selected severity of the Vulnerability, but HeroDevs has sole discretion to reset the severity based on our investigation and applied use of the Drupal security risk calculator.
  • HeroDevs NES will continue to support Drupal 7 running on the same versions of PHP as were supported at end of life.
  • Both parties agree to work together in good faith to keep these definitions of support updated going forward.
Drupal 7 NES Installation Guide
Learn how to install Drupal 7 NES using Direct Download, Composer, or Drush installation methods.
Additional Information
Supporting documentation for Drupal NES