core/php-framework
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
php-framework/SECURITY.md

5.8 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
1.x
< 1.0

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: dev@host.uk.com

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

What to Include

Please include the following information in your report:

  • Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
  • Full paths of source file(s) related to the vulnerability
  • Location of the affected source code (tag/branch/commit or direct URL)
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the vulnerability and how an attacker might exploit it

This information will help us triage your report more quickly.

Response Process

  1. Acknowledgment - We'll confirm receipt of your vulnerability report within 48 hours
  2. Assessment - We'll assess the vulnerability and determine its severity (typically within 5 business days)
  3. Fix Development - We'll develop a fix for the vulnerability
  4. Disclosure - Once a fix is available, we'll:
    • Release a security patch
    • Publish a security advisory
    • Credit the reporter (unless you prefer to remain anonymous)

Security Update Policy

Security updates are released as soon as possible after a vulnerability is confirmed and patched. We follow these severity levels:

Critical

  • Response time: Within 24 hours
  • Patch release: Within 48 hours
  • Examples: Remote code execution, SQL injection, authentication bypass

High

  • Response time: Within 48 hours
  • Patch release: Within 5 business days
  • Examples: Privilege escalation, XSS, CSRF

Medium

  • Response time: Within 5 business days
  • Patch release: Next scheduled release
  • Examples: Information disclosure, weak cryptography

Low

  • Response time: Within 10 business days
  • Patch release: Next scheduled release
  • Examples: Minor security improvements

Security Features

The Core PHP Framework includes several security features:

Multi-Tenant Isolation

  • Automatic workspace scoping prevents cross-tenant data access
  • Strict mode throws exceptions on missing workspace context
  • Request validation ensures workspace context authenticity

API Security

  • Bcrypt hashing for API keys (SHA-256 legacy support)
  • Rate limiting per workspace with burst allowance
  • HMAC-SHA256 webhook signing
  • Scope-based permissions

SQL Injection Prevention

  • Multi-layer query validation (MCP package)
  • Blocked keywords (INSERT, UPDATE, DELETE, DROP)
  • Pattern detection for SQL injection attempts
  • Read-only database connection support
  • Table access controls

Input Sanitization

  • Built-in HTML/JS sanitization
  • XSS prevention
  • Email validation and disposable email blocking

Security Headers

  • Content Security Policy (CSP)
  • HSTS, X-Frame-Options, X-Content-Type-Options
  • Referrer Policy
  • Permissions Policy

Action Gate System

  • Request whitelisting for sensitive operations
  • Training mode for development
  • Audit logging for all actions

Security Best Practices

When using the Core PHP Framework:

API Keys

  • Store API keys securely (never in version control)
  • Use environment variables or secure key management
  • Rotate keys regularly
  • Use minimal required scopes

Database Access

  • Use read-only connections for MCP tools
  • Configure blocked tables for sensitive data
  • Enable query whitelisting in production

Workspace Context

  • Always validate workspace context in custom tools
  • Use RequiresWorkspaceContext trait
  • Never bypass workspace scoping

Rate Limiting

  • Configure appropriate limits per tier
  • Monitor rate limit violations
  • Implement backoff strategies in API clients

Activity Logging

  • Enable activity logging for sensitive operations
  • Regularly review activity logs
  • Set appropriate retention periods

Security Changelog

See packages/core-mcp/changelog/2026/jan/security.md for recent security fixes.

Credits

We appreciate the security research community and would like to thank the following researchers for responsibly disclosing vulnerabilities:

  • No vulnerabilities reported yet

Bug Bounty Program

We do not currently have a formal bug bounty program, but we deeply appreciate security research. Researchers who report valid security vulnerabilities will be:

  • Credited in our security advisories (if desired)
  • Listed in this document
  • Given early access to security patches

PGP Key

For sensitive security reports, you may encrypt your message using our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
[To be added if needed]
-----END PGP PUBLIC KEY BLOCK-----

Contact

Disclosure Policy

When working with us according to this policy, you can expect us to:

  • Respond to your report promptly
  • Keep you informed about our progress
  • Treat your report confidentially
  • Credit your discovery publicly (if desired)
  • Work with you to fully understand and resolve the issue

We request that you:

  • Give us reasonable time to fix the vulnerability before public disclosure
  • Make a good faith effort to avoid privacy violations, data destruction, and service disruption
  • Do not access or modify data that doesn't belong to you
  • Do not perform attacks that could harm reliability or integrity of our services