Drupal 7 NES SLA

Included in Drupal 7 NES

As of September 23, 2024 included within a Drupal 7 NES Subscription are both Drupal 7 NES, and Drupal 7 NES: Basic Edition, as discussed further below.

Drupal 7 Core

On June 7th, 2023, the Drupal Association announced that Drupal 7 will reach End of Life on January 5th, 2025 and that, effective immediately, there would be reduced support for moderately critical and lower-severity issues during this maintenance phase (“Long Term Support” or “LTS”). We will use commercially reasonable best efforts to provide support for Drupal 7 Core that meets the same level of support services provided during the LTS period by the Drupal Association. Additionally, we will provide a higher level of support through a 14 calendar day mitigation SLA for proven critical and highly-critical vulnerabilities.

When a reproducible vulnerability is reported and confirmed by our team (“Vulnerability”), our resolution process will follow similar standards to the Drupal Security Team Resolution Process including:

• Confidentiality in reporting until remediation exists
• Review of the Vulnerability and evaluation of impact on Drupal 7 core (including modules and themes)
• Creation, review, and testing of security fixes
• Communication with clients
• Distribution of updates or advisories
• Public reporting of the Vulnerability to appropriate authorities

Drupal 7 Contrib Modules (Module Support)

HeroDevs Never-Ending Support for Drupal modules will follow similar standards to the Drupal Security team process. Our remediation coordination for Vulnerabilities will include Drupal 7 modules that are actively maintained, minimally maintained, and those seeking new maintainers or co-maintainers as of January 5, 2025.

Our resolution process will follow similar standards to the Drupal Security Team Resolution Process specifically including:

• Confidentiality in reporting until remediation exists
• Review of the issue and evaluation of impact on Drupal 7 and supported modules
• Attempts to mobilize module maintainers to remediate the Vulnerability
• Creation, review, and testing of security fixes where possible
• Communication with clients
• Distribution of updates
• As a last resort, when no remediation is possible after maintainer communication as well as HeroDevs commercially reasonable best-efforts in remediation, we will issue an advisory with recommendations up to and including disabling the module

Drupal 7 NES support coverage excludes custom modules, modules which break due to 3rd party APIs, closed-source / closed-license modules or modules that were insecure or unmaintained as of January 5, 2025.

Common Specifications

• Security risk levels will continue to be defined by the Drupal security risk calculator. Based upon the Drupal risk calculator, Vulnerabilities with scores:
  • Between 0 and 4 are considered Not Critical
    • Drupal 7 Core: 21 calendar day review and response
    • Drupal 7 Essentials: 21 calendar day review and response
  • 5 to 9 is considered Less Critical
    • Drupal 7 Core: 21 calendar day review and response
    • Drupal 7 Essentials: 21 calendar day review and response
  • 10 to 14 is considered Moderately Critical
    • Drupal 7 Core: 21 calendar day review and response
    • Drupal 7 Essentials: 21 calendar day review and response
  • 15 to 19 is considered Critical
    • Drupal 7 Core: 24-hour response, 48-hour investigation, 14-calendar-day mitigation
    • Drupal 7 Essentials: 24-hour response, 48-hour investigation and maintainer communication, 21 calendar day mitigation or advisory
  • 20 to 25 is considered Highly Critical
    • Drupal 7 Core: 24-hour response, 48-hour investigation, 14-calendar-day mitigation
    • Drupal 7 Essentials: 24-hour response, 48-hour investigation and maintainer communication, 14 calendar day mitigation or advisory
• Our SLA response time will be based on the user-selected severity of the Vulnerability, but HeroDevs has sole discretion to reset the severity based on our investigation and applied use of the Drupal security risk calculator.
• HeroDevs NES will continue to support Drupal 7 running on the same versions of PHP as were supported at end of life.
• Both parties agree to work together in good faith to keep these definitions of support updated going forward.