Why has my security shield for my new module on Drupal.org been removed?

Question

I have recently managed to create a module on drupal.org, by following the entire process from Sandbox->Project Application->Module Publish.

However after few weeks my module lost the security shield, and am getting this message instead:

This project is not covered by the security advisory policy. It may have publicly disclosed vulnerabilities. Use at your own risk!

I have gone through some of the documentation (Security advisory process and permissions policy), but I couldn't find suitable explanation.

Here is a screenshot of how it looks like now:

My questions:

1. Why has my module been tagged with this message?
2. How can I resolve it, or how can I find what is wrong in my module?

Answer 1

Only full releases get the security shield. Your screenshot only shows a dev version. I don't think the shield was removed from your module, as it wouldn't have had one in the first place since you don't have a full release.

To get the security shield, you'll need to release a full version (one not suffixed with -dev, -alpha or -beta).

** EDIT **

I have just discovered that an additional step needs to be taken in addition to creating a full release. Until recently, if a module was given a full-release, it automatically received the security advisory. However, I just promoted a module I've got from RC to a full release, and it did not receive the security advisory. Editing the module page now has an option that requires to module maintainer to opt into the security advisory.

Even having done so, my module still does not have the advisory shield, so I assume it now goes under some review from the security team before receiving it. This issue seems to support that assumption: https://www.drupal.org/node/2666584

--- Edit 2 ----

It turns out their was a bug in the system. I am already able to promote modules to drupal.org rather than the sandbox. With existing modules, when upgrading from D7 -> D8, modules were automatically given the shield when I released a full version. However the module I mentioned above did not have a D7 version, and when I promoted it to a full release it didn't receive the shield. After waiting two weeks for approval I finally contacted the security team, and they looked into it and found a bug in the caching system, and fixed it.

So it appears that the original information I gave - that you just need to release a full version, and have opted into security advisory coverage, is correct.

Here's a screenshot of the module edit page.

Answer 2

You need to create an official release, for at least 1 version of Drupal core that is supported. In your case, for D7, like a 7.x-1.0 version of your module. Shortly after doing so, your module will have the security shield.

If you want, have a look at modules such as the Conditional Rules module, used in over 11K Drupal 7 sites. It has the same message shown on its project page also.

Drupal core criteria

• "Only full releases get the security shield" (as in the accepted answer) may need some refinement: have a look at the Support Ticketing System module, which does have a full release for D6 (which is no longer supported). But it does NOT have the security shield either.
• If a module does have an official release for at least 1 version of a supported Drupal core version (eg: for D7), then the security shield will not be removed by adding a dev, alfa, beta or rc version (with no official release yet) for another supported Drupal core version (eg: for D8). For a sample of this, have a look at the Rules module. Note however that in this case the D7 version has an extra (green) shield that is not shown for the D8 version of it.

More info

For way more details on this, refer to these issues:

• Add security advisory coverage field to projects.
• Encourage security coverage by emailing maintainers.
• Rename “Git vetted user” role to “Opt into security team coverage”.
• Move security team coverage from per-project to per-branch.
• Draft text for security advisory coverage messages.

How to create an official release

Head over to your https://www.drupal.org/project/myproject/git-instructions (whereas you replace myproject with your module name). Near the bottom of it, you'll find detailed instructions about Creating Releases. More specifically you should do what's mentioned within Tag for a stable release there, which is like so:

git checkout 7.x-1.x

git tag 7.x-1.0

git push origin tag 7.x-1.0

Once you've pushed the properly formed tag or branch, see Creating a project release for directions to actually create the release node.

Bonus tips

• If you're not ready yet to create an official release, you can always add some note on your project page like "Note: as the module maintainer, I'm not aware of any publicly disclosed vulnerabilities".
• IMO "Use it at your own risk!" applies NOT only to contributed modules for which the security shield is NOT shown.

Related article

Drupal Security Shield For Contributed Modules,What That Means? (Credits: zhilevan)