Security

Handling of security vulnerabilities is a important part of open-source development. With the following page we want streamline the process of reporting and getting informations about security vulnerabilities.

Disclosure

We maintain an dedicated vulnerability disclosure feed (http://phpsx.org/disclosure) which contains every announced vulnerability. You can subscribe to this feed in order to get always the latest security informations. Besides that we will also announce each known vulnerability in a blog post.

Reporting

The following process shows how the PSX team handles a reported security vulnerability:

  • The vulnerability gets reported privately to security [at] phpsx.org.
  • Messages that do not relate to security vulnerabilities in PSX are ignored.
  • Investigate the report and either reject or accept it.
  • If the report is rejected send an explanation to the reporter why.
  • If the report is accepted inform the reporter about the acceptance and that we are working on a fix.
  • Develop a fix in private.
  • Provide the reporter with a copy of the fix and a draft vulnerability announcement for comment.
  • Agree on the fix, the announcement and the release schedule with the reporter.
  • Commit the fix.
  • Create a new release that includes the fix.
  • Announce the release and the vulnerability. This includes a blog post of the new version and adding the vulnerability to the vulnerability disclosure feed.