|
1 | | -# Security Classification Document |
| 1 | +# Vulnerability Disclosure Policy |
2 | 2 |
|
3 | | -*The canonical version of this document is located at <https://wiki.php.net/security>. |
4 | | -Where there are discrepancies, the canonical version takes precedence.* |
5 | | - |
6 | | -## Meta |
7 | | - |
8 | | -- Authors: Release Managers |
9 | | -- Date: November 2016 |
10 | | -- Version: 1.0.1 |
11 | | -- RFC: [Security Issue Classification](https://wiki.php.net/rfc/security-classification) |
| 3 | +*This document was originally published at <https://wiki.php.net/security>.* |
12 | 4 |
|
13 | 5 | ## Introduction |
14 | 6 |
|
@@ -118,48 +110,59 @@ We do not classify as a security issue any issue that: |
118 | 110 |
|
119 | 111 | ## Handling issues |
120 | 112 |
|
121 | | -High and medium severity fixes are merged into a security repository and |
122 | | -merged before the release is tagged. |
| 113 | +High and medium severity fixes are merged into a private security repository, |
| 114 | +and then merged to the main repository before the release is tagged. |
123 | 115 |
|
124 | 116 | Low severity fixes are merged immediately after the fix is available and |
125 | 117 | handled like all regular bugs are handled consequently. However, release |
126 | 118 | managers may choose to pull those fixes into the RC branch after the |
127 | | -branch is created, and also backport them into security-only release |
| 119 | +branch is created, and also backport them into a security-only release |
128 | 120 | branch. |
129 | 121 |
|
130 | 122 | ## FAQ |
131 | 123 |
|
132 | | -Q. How do I report a security issue?\ |
133 | | -A. Please report it on <https://bugs.php.net>, choosing type "Security". |
134 | | -This will automatically make it private. If for some reason you can not |
135 | | -do that, or need to talk to somebody about a PHP security issue that is |
136 | | -not exactly a bug report, please write to [email protected]. |
| 124 | +### How do I report a security issue? |
| 125 | + |
| 126 | +Please report security vulnerabilities on GitHub at: |
| 127 | +<https://github.com/php/php-src/security/advisories/new> |
| 128 | + |
| 129 | +If for some reason you cannot use the form at GitHub, or you need to talk to |
| 130 | +somebody about a PHP security issue that might not be a bug report, please write |
| 131 | + |
| 132 | + |
| 133 | +Vulnerability reports remain private until published. When published, you will |
| 134 | +be credited as a contributor, and your contribution will reflect the MITRE |
| 135 | +Credit System. |
| 136 | + |
| 137 | +### What do you consider a responsible disclosure? |
137 | 138 |
|
138 | | -Q. What do you consider a responsible disclosure?\ |
139 | | -A. Please report the issue as described above. Please communicate with |
| 139 | +Please report the issue as described above. Please communicate with |
140 | 140 | the developers about when the fix will be released - usually it's the |
141 | 141 | next monthly release after the bug was reported. Some issues can take |
142 | | -longer. After the fix is released (releases usually happen on Thursday) |
| 142 | +longer. After the fix is released (releases usually happen on Thursdays) |
143 | 143 | please feel free to disclose the issue as you see fit. |
144 | 144 |
|
145 | | -Q. What if I think it's a security issue but developers disagree?\ |
146 | | -A. Please read the above and try to explain to us why it fits the |
| 145 | +### What if I think it's a security issue but the developers disagree? |
| 146 | + |
| 147 | +Please read the above and try to explain to us why it fits the |
147 | 148 | description. |
148 | 149 |
|
149 | | -Q. What if developers still don't think it's a security issue?\ |
150 | | -A. We'll have to agree to disagree. |
| 150 | +### What if the developers still don't think it's a security issue? |
| 151 | + |
| 152 | +We'll have to agree to disagree. |
| 153 | + |
| 154 | +### The bug I submitted was classified as "not a security issue." You don't believe it's real? |
151 | 155 |
|
152 | | -Q. The bug I submitted was classified as "not a security issue", you |
153 | | -don't believe it's real?\ |
154 | | -A. It has nothing to do with the bug being real or its importance to |
| 156 | +It has nothing to do with the bug being real or its importance to |
155 | 157 | you. It just means it does not fit our specific definitions for issues |
156 | 158 | that we will handle in a special way. We fix a lot of non-security bugs |
157 | 159 | and pull requests are always welcome. |
158 | 160 |
|
159 | | -Q. But you classified bug #424242 as security issue, but not this |
160 | | -one?!\ |
161 | | -A. Each bug usually has its aspects, if a short discussion does not |
| 161 | +### But you classified bug #424242 as a security issue, but not this one?! |
| 162 | + |
| 163 | +Each bug usually has its aspects, if a short discussion does not |
162 | 164 | yield agreement we'd rather do more fixing and less arguing. |
163 | 165 |
|
164 | | -Q. Do you pay bounties for security issues?\ |
165 | | -A. PHP is a volunteer project. We have no money, thus we can't pay them. |
| 166 | +### Do you pay bounties for security issues? |
| 167 | + |
| 168 | +PHP is a volunteer project. We have no money, thus we can't pay bounties. |
0 commit comments