016 — Security workflow

Security issues are typically sent via a security form.

If an issue is reported directly to a public page such as a repository issue or a forum topic, get the message and delete the issue. Say thanks to the reporter and point to the security form for next time.

Verify

Verify that the issue is valid. Request more information if needed.

Add security advisory

Create a draft GitHub security advisory.

Find out severity

Get CVSS score using NVD calculator.
Choose severity based on the rating scale.

Give credit to the reporter

Ask the reporter if he wants a credit for finding the issue. If so, point to his GitHub account.

Request a CVE number

When you're ready, request a CVE.

Prepare a patch

Prepare a pull request fixing the issue. GitHub allows doing it in a private fork.

Wait till the CVE number is allocated

It usually takes several days.

Release

Merge the patch pull request right before tagging the next package release.
Publish security advisory.
Add CVE to FriendsOfPHP/security-advisories. See #488 as an example.

016 — Security workflow ​

Verify ​

Add security advisory ​

Find out severity ​

Give credit to the reporter ​

Request a CVE number ​

Prepare a patch ​

Wait till the CVE number is allocated ​

Release ​