Handling of security vulnerabilities is a important part of open-source development. With the following page we want streamline the process of reporting and getting informations about security vulnerabilities.
We maintain an dedicated vulnerability disclosure feed (http://phpsx.org/disclosure) which contains every announced vulnerability. You can subscribe to this feed in order to get always the latest security informations. Besides that we will also announce each known vulnerability in a blog post.
The following process shows how the PSX team handles a reported security vulnerability:
- The vulnerability gets reported privately to security [at] phpsx.org.
- Messages that do not relate to security vulnerabilities in PSX are ignored.
- Investigate the report and either reject or accept it.
- If the report is rejected send an explanation to the reporter why.
- If the report is accepted inform the reporter about the acceptance and that we are working on a fix.
- Develop a fix in private.
- Provide the reporter with a copy of the fix and a draft vulnerability announcement for comment.
- Agree on the fix, the announcement and the release schedule with the reporter.
- Commit the fix.
- Create a new release that includes the fix.
- Announce the release and the vulnerability. This includes a blog post of the new version and adding the vulnerability to the vulnerability disclosure feed.