php-framework/SECURITY.md

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 1.x     | :white_check_mark: |
| < 1.0   | :x:                |

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues.**

Instead, please report them via email to: **support@host.uk.com**

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

## What to Include

Please include the following information in your report:

- **Type of vulnerability** (e.g., SQL injection, XSS, authentication bypass)
- **Full paths** of source file(s) related to the vulnerability
- **Location** of the affected source code (tag/branch/commit or direct URL)
- **Step-by-step instructions** to reproduce the issue
- **Proof-of-concept or exploit code** (if possible)
- **Impact** of the vulnerability and how an attacker might exploit it

This information will help us triage your report more quickly.

## Response Process

1. **Acknowledgment** - We'll confirm receipt of your vulnerability report within 48 hours
2. **Assessment** - We'll assess the vulnerability and determine its severity (typically within 5 business days)
3. **Fix Development** - We'll develop a fix for the vulnerability
4. **Disclosure** - Once a fix is available, we'll:
   - Release a security patch
   - Publish a security advisory
   - Credit the reporter (unless you prefer to remain anonymous)

## Security Update Policy

Security updates are released as soon as possible after a vulnerability is confirmed and patched. We follow these severity levels:

### Critical
- **Response time:** Within 24 hours
- **Patch release:** Within 48 hours
- **Examples:** Remote code execution, SQL injection, authentication bypass

### High
- **Response time:** Within 48 hours
- **Patch release:** Within 5 business days
- **Examples:** Privilege escalation, XSS, CSRF

### Medium
- **Response time:** Within 5 business days
- **Patch release:** Next scheduled release
- **Examples:** Information disclosure, weak cryptography

### Low
- **Response time:** Within 10 business days
- **Patch release:** Next scheduled release
- **Examples:** Minor security improvements

## Security Features

The Core PHP Framework includes several security features:

### Multi-Tenant Isolation
- Automatic workspace scoping prevents cross-tenant data access
- Strict mode throws exceptions on missing workspace context
- Request validation ensures workspace context authenticity

### API Security
- Bcrypt hashing for API keys (SHA-256 legacy support)
- Rate limiting per workspace with burst allowance
- HMAC-SHA256 webhook signing
- Scope-based permissions

### SQL Injection Prevention
- Multi-layer query validation (MCP package)
- Blocked keywords (INSERT, UPDATE, DELETE, DROP)
- Pattern detection for SQL injection attempts
- Read-only database connection support
- Table access controls

### Input Sanitization
- Built-in HTML/JS sanitization
- XSS prevention
- Email validation and disposable email blocking

### Security Headers
- Content Security Policy (CSP)
- HSTS, X-Frame-Options, X-Content-Type-Options
- Referrer Policy
- Permissions Policy

### Action Gate System
- Request whitelisting for sensitive operations
- Training mode for development
- Audit logging for all actions

## Security Best Practices

When using the Core PHP Framework:

### API Keys
- Store API keys securely (never in version control)
- Use environment variables or secure key management
- Rotate keys regularly
- Use minimal required scopes

### Database Access
- Use read-only connections for MCP tools
- Configure blocked tables for sensitive data
- Enable query whitelisting in production

### Workspace Context
- Always validate workspace context in custom tools
- Use `RequiresWorkspaceContext` trait
- Never bypass workspace scoping

### Rate Limiting
- Configure appropriate limits per tier
- Monitor rate limit violations
- Implement backoff strategies in API clients

### Activity Logging
- Enable activity logging for sensitive operations
- Regularly review activity logs
- Set appropriate retention periods

## Security Changelog

See [packages/core-mcp/changelog/2026/jan/security.md](packages/core-mcp/changelog/2026/jan/security.md) for recent security fixes.

## Credits

We appreciate the security research community and would like to thank the following researchers for responsibly disclosing vulnerabilities:

- *No vulnerabilities reported yet*

## Bug Bounty Program

We do not currently have a formal bug bounty program, but we deeply appreciate security research. Researchers who report valid security vulnerabilities will be:

- Credited in our security advisories (if desired)
- Listed in this document
- Given early access to security patches

## PGP Key

For sensitive security reports, you may encrypt your message using our PGP key:

```
-----BEGIN PGP PUBLIC KEY BLOCK-----
[To be added if needed]
-----END PGP PUBLIC KEY BLOCK-----
```

## Contact

- **Security Email:** support@host.uk.com
- **General Support:** https://github.com/host-uk/core-php/discussions
- **GitHub Security Advisories:** https://github.com/host-uk/core-php/security/advisories

## Disclosure Policy

When working with us according to this policy, you can expect us to:

- Respond to your report promptly
- Keep you informed about our progress
- Treat your report confidentially
- Credit your discovery publicly (if desired)
- Work with you to fully understand and resolve the issue

We request that you:

- Give us reasonable time to fix the vulnerability before public disclosure
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Do not access or modify data that doesn't belong to you
- Do not perform attacks that could harm reliability or integrity of our services