Security Issue Management Improvements

December 18, 2012 · Published by Avatar of Fabien Potencier Fabien Potencier

Some days ago, Kousuke Ebihara sent an email to the Symfony dev mailing-list about how we could improve the security release announcements. It also took the time to list all past security issues in Symfony.

Today, I'm pleased to announced that we have improved our management of security issues in several ways:

  • There is a new Security Advisories section on the blog that lists all blog posts about security releases;
  • We have improved our process by refining the way we handle and resolve security issues;
  • There is a new http://symfony.com/security shortcut URL that redirects to the documentation section that talks about security in Symfony;
  • The security page in the documentation now also lists all past security advisories (including the ones for symfony 1.x);
  • All emails sent from the mailing-list now have a link to the security page.
Published in #Documentation

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Christof Damian
Christof Damian said on Dec 18, 2012
It might be good also to mention the CVE number where available. These are for used for example in Linux distributions to track security issues.

There are some already available for symfony: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=symfony

It could be even an idea to request numbers for new security issues which haven't a assigned one yet, but I have no idea how complicated that is.
Avatar of Lukas Kahwe Smith
Lukas Kahwe Smith said on Dec 18, 2012
The next important step here is to better formalize the security team, especially integrate members of our big users like Drupal and ezPublish.
Avatar of Fabien Potencier
Fabien Potencier Certified said on Dec 19, 2012
I've just added references to CVE numbers where available:

https://github.com/symfony/symfony-docs/pull/2047
Avatar of Fabien Potencier
Fabien Potencier Certified said on Dec 19, 2012
I've just sent an email to learn more about the process of CVE identifiers management as I would like to get one for each new security issue in the future.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.