New symfony security policy
– May 21, 2008
– 5 comments
Last week we've fixed a security bug allowing XSS attacks in certain circumstances. The related ticket was opened more than a year ago.
You may be wondering why it has been taking us such a long time to react. Here's the main reason: we had not a very strong security alert reporting and qualifying process. This has been fixed recently.
So as of now, if you find a security bug in symfony, please send an email to security at symfony-project.com, with as much details as you can and ideally a patch if you can provide one. Your message will be forwarded to the core team internal mailing-list, qualified and addressed as quickly as possible. The whole procedure is detailed in a dedicated section of the brand new how to contribute page in the symfony wiki.
By the way don't hesitate to read the whole how to contribute page on the wiki, as there's plenty of information on how you can help the symfony project.