Specifications should be a major part of the foundation we built on. Unfortunately, we're a bit loose with our adherence to specs. (Writer is guilty too).

Today we released a security announcement about a Webform SQL Injection vulnerability outside of the normal release schedule on Wednesday.

Apart from PHP bugs and Denial of Service attacks, there's another reason why calling unserialize on user-supplied data (cookies, hidden form fields) is a bad idea.

We recently received a report by "ZeroDayScan", about a "Full path disclosure bug in Drupal 6.16".