New symfony security policy

Last week we've fixed a security bug allowing XSS attacks in certain circumstances. The related ticket was opened more than a year ago.

You may be wondering why it has been taking us such a long time to react. Here's the main reason: we had not a very strong security alert reporting and qualifying process. This has been fixed recently.

So as of now, if you find a security bug in symfony, please send an email to security at, with as much details as you can and ideally a patch if you can provide one. Your message will be forwarded to the core team internal mailing-list, qualified and addressed as quickly as possible. The whole procedure is detailed in a dedicated section of the brand new how to contribute page in the symfony wiki.

By the way don't hesitate to read the whole how to contribute page on the wiki, as there's plenty of information on how you can help the symfony project.


I'm glad to see that security is taken seriously!

Thanks for that. Keep on your good work :)
pookey will be happy!

But really, this is a good thing. Another reason symfony is #1, really.
i think it's good you take care about security, but i wonder how you review tickets and affect priority to them...
@notjosh - indeed - I am happy :)

I was deliberately playing Devil's Advocate on my blog post related to this, in an effort to get things moving. I'm please we as a community have managed to get this ball rolling in the right direction.
Great idea :D

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.