ContributingGuidelines

Security Issues

Security Issues

Note

Each Each project may follow a more detailed protocol for handling security issues. This document explains how security issues are handled (in general) by the core team.

Reporting a Security Issue

If you think that you have found a security issue in a project, don’t use the mailing-list or the bug tracker and don’t publish it publicly. Instead, all security issues must be sent to the private e-mail address of the project’s maintainer.

The project’s maintainer can be found in the copyright header of source files.

Resolving Process

For each report, we first try to confirm the vulnerability. When it is confirmed, the core-team works on a solution following these steps:

  1. Send an acknowledgement to the reporter;
  2. Work on a patch;
  3. Get a CVE identifier from mitre.org;
  4. Write a security announcement for the projects website about the vulnerability. This post should contain the following information:
    • a title that always include the “Security release” string;
    • a description of the vulnerability;
    • the affected versions;
    • the possible exploits;
    • how to patch/upgrade/workaround affected applications;
    • the CVE identifier;
    • credits.
  5. Send the patch and the announcement to the reporter for review;
  6. Apply the patch to all maintained versions of the project;
  7. Package new versions for all affected versions;
  8. Publish the post on the official website;
  9. Update the public security advisories database maintained by the FriendsOfPHP organization and which is used by the security:check command.

Note

Releases that include security issues should not be done on Saturday or Sunday, except if the vulnerability has been publicly posted.

Note

While we are working on a patch, please do not reveal the issue publicly.

Note

The resolution takes anywhere between a couple of days to a month depending on its complexity.