Business

How to talk to your customers about Drupal Security updates

With the recent release of versions 7.2 and 6.22, a significant Drupal security flaw in 6.x has been identified and fixed. While I feel strongly this is illustrates the value of Drupal and Open Source, it can be a significant challenge to talk to your customers about this. Here's the email that we drafted up and shared with our customers (please feel free to use it, rewrite and share if it proves useful)...

Joaquin Lippincott, Chief Executive Officer in Sales & Marketing
May 25, 2011
Filed under:

With the recent release of versions 7.2 and 6.22, a significant Drupal security flaw in 6.x has been identified and fixed. While I feel strongly this is illustrates the value of Drupal and Open Source, it can be a significant challenge to talk to your customers about this.

Here's the email that we drafted up and shared with our customers (please feel free to use it, rewrite and share if it proves useful):

Dear [Customer],

There was a significant security flaw identified in the version of Drupal your site is running that was fixed in a security patch that was released released on Drupal.org May 25. We're currently recommending implementing this ASAP patch to avoid any issues.

[Here we vary depending on whether our customer has a service agreement with us or not.]

A. Since you currently have an Extended Service Agreement with us, we're recommending scheduling the fix as part of our monthly allotment of hours.

OR

B. Since this represents a significant danger to the data on your site and machines within our hosting environment we are considering this update to be mandatory. Please let us know if you will be able to schedule a software update within the next few weeks yourself, or we can implement the patch on a time and materials basis.

We're currently estimating this task as a 1 hour line-item billed at your normal hourly rate, however should complications arise it's possible that it could take more time. There should be no downtime associated with the patch, but you may wish you review the site for possible issues/changes. If you need us to address any issues, they will be addressed on a T&M basis.

I feel strongly that this update should be viewed as a showcases the value of Drupal and Open Source projects. If your site were not built using Drupal, it's likely that this issue would have gone undetected and could have resulted in significant financial cost. The recent high profile Sony Playstation Network security breach being a potent example of what can go wrong.

Thank you for your understanding and continuing business! Please feel free to contact me should you have any questions.

Here's a link to the official announcement:
http://drupal.org/drupal-7.2

I'd love to hear how you deal with these potentially tough conversations, and what you've learned from them.
Business Drupal Security

Similar posts

Drupal

Playing Drupal the card game the Drupal way

Now that NodeOne is running out of Drupal the Card Game I feel like it's time to introduce my version of the game rules which I believe are actually...

Chuck Vose, Web Developer Sep 20, 2010
artificial intelligence

Views 3 makes programmers happy

Views 3 addresses some of the most stubborn parts of Views 2, and significantly improves the way Drupal programmers deliver features to clients.

Tony Rost, Chief Technology Officer Mar 25, 2011
Drupal

Quick Tip: Dive Into Drupal Objects with Search Krumo

If you've done any signifigant development with Drupal, you're probably (deeply) familiar with a little function called dpm(). I think it stands for...

Kronda Adair, Developer & Client Experience Advocate Sep 13, 2012

Get notified on new marketing insights

Be the first to know about new B2B SaaS Marketing insights to build or refine your marketing function with the tools and knowledge of today’s industry.