016 — Security workflow
Security issues are typically sent via a security form.
If an issue is reported directly to a public page such as a repository issue or a forum topic, get the message and delete the issue. Say thanks to the reporter and point to the security form for next time.
mermaid
flowchart TD
form[Security form report] --> verify[Verify issue]
public[Public report] --> remove[Save details and delete public issue]
remove --> redirect[Point reporter to the security form]
redirect --> verify
verify -->|needs details| requestInfo[Request more information]
requestInfo --> verify
verify -->|valid| advisory[Create draft security advisory]
advisory --> severity[Set CVSS severity]
severity --> credit[Ask about reporter credit]
credit --> cve[Request CVE number]
cve --> patch[Prepare patch pull request]
patch --> wait[Wait for CVE allocation]
wait --> release[Release]
release --> publish[Publish advisory and submit FriendsOfPHP entry]Verify
Verify that the issue is valid. Request more information if needed.
Add security advisory
Create a draft GitHub security advisory.
Find out severity
- Get CVSS score using NVD calculator.
- Choose severity based on the rating scale.
Give credit to the reporter
Ask the reporter if he wants a credit for finding the issue. If so, point to his GitHub account.
Request a CVE number
When you're ready, request a CVE.
Prepare a patch
Prepare a pull request fixing the issue. GitHub allows doing it in a private fork.
Wait till the CVE number is allocated
It usually takes several days.
Release
- Merge the patch pull request right before tagging the next package release.
- Publish security advisory.
- Add CVE to FriendsOfPHP/security-advisories. See #488 as an example.