016 - Security workflow

Security issues are typically sent via a security form.

If an issue is reported directly to a public page such as repository issue or a forum topic, get the message and delete the issue. Say thanks to the reporter and point to the security form for next time.

Verify

Verify that the issue is valid. Request more information if needed.

Add security advisory

Create draft GitHub security advisory.

Find out severity

1. Get CVSS score using NVD calculator.
2. Choose severity based on the rating scale.

Give credit to the reporter

Ask reporter if he wants a credit for finding the issue. If so, point to his GitHub account.

Request a CVE number

When you’re ready, request a CVE.

Prepare a patch

Prepare a pull request fixing the issue. GitHub allows doing it in a private fork.

Wait till CVE number is allocated

It usually takes several days.

Release

• Merge the patch pull request right before tagging next package release.
• Publish security advisory.
• Add CVE to FriendsOfPHP/security-advisories. See #488 as example.