core/php-framework
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
php-framework/docs/security/responsible-disclosure.md

169 lines
5.1 KiB
Markdown
Raw Blame History

# Responsible Disclosure
We take the security of Core PHP Framework seriously. If you believe you have found a security vulnerability, we encourage you to let us know right away.
## Reporting a Vulnerability
**Email:** support@host.uk.com
**PGP Key:** Available on request
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
## What to Expect
1. **Acknowledgment** - We will acknowledge receipt of your vulnerability report within 24 hours
2. **Investigation** - We will investigate and validate the vulnerability
3. **Response Timeline** - Based on severity:
- **Critical**: 24-48 hours for initial response, patch within 7 days
- **High**: 48-72 hours for initial response, patch within 14 days
- **Medium**: 7 days for initial response, patch within 30 days
- **Low**: 14 days for initial response, patch within 60 days
4. **Fix Development** - We will develop a fix and notify you when it's ready for testing
5. **Disclosure** - We will coordinate disclosure timing with you
## Our Commitment
- We will respond to your report promptly
- We will keep you informed of our progress
- We will credit you in our security advisory (unless you prefer to remain anonymous)
- We will not take legal action against you for responsible disclosure
## What We Ask
- Give us reasonable time to respond before disclosing the vulnerability publicly
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Don't access or modify data that doesn't belong to you
- Don't perform actions that could negatively affect our users
## Out of Scope
The following are **out of scope**:
- Clickjacking on pages with no sensitive actions
- Unauthenticated/logout CSRF
- Attacks requiring physical access to a user's device
- Social engineering attacks
- Attacks involving physical access to servers
- Denial of Service attacks
- Spam or social engineering techniques
- Reports from automated tools or scanners without validation
## Severity Classification
### Critical
- Remote code execution
- SQL injection
- Authentication bypass
- Privilege escalation to admin
- Exposure of sensitive data (credentials, keys)
### High
- Cross-site scripting (XSS) on sensitive pages
- Cross-site request forgery (CSRF) on sensitive actions
- Server-side request forgery (SSRF)
- Insecure direct object references to sensitive data
- Path traversal
- XML external entity (XXE) attacks
### Medium
- XSS on non-sensitive pages
- Missing security headers
- Information disclosure (non-sensitive)
- Open redirects
### Low
- Missing rate limiting on non-critical endpoints
- Verbose error messages
- Best practice violations without direct security impact
## Recognition
We maintain a Hall of Fame for security researchers who have responsibly disclosed vulnerabilities:
**2026**
- TBD
If you would like to be listed, please let us know in your disclosure email.
## Legal
This disclosure policy is based on industry best practices. By participating in our responsible disclosure program, you agree to:
- Comply with all applicable laws
- Not access or modify data beyond what is necessary to demonstrate the vulnerability
- Not perform actions that degrade our services
- Keep vulnerability details confidential until we have released a fix
We commit to not pursuing legal action against researchers who:
- Follow this policy
- Act in good faith
- Don't violate any other laws or agreements
## Example Report
```
Subject: [SECURITY] SQL Injection in PostController
Vulnerability Type: SQL Injection
Severity: High
Affected Component: Mod/Blog/Controllers/PostController.php
Description:
The search functionality in PostController does not properly sanitize
user input before constructing SQL queries, allowing SQL injection.
Steps to Reproduce:
1. Navigate to /blog/search
2. Enter payload: ' OR '1'='1
3. Observe database data exposure
Impact:
Attacker can read arbitrary data from the database, including user
credentials and API keys.
Proof of Concept:
[Include curl command or video demonstration]
Suggested Fix:
Use parameterized queries or Eloquent ORM instead of raw SQL.
Contact:
[Your name/handle]
[Your email]
[Your PGP key if applicable]
```
## Updates to This Policy
We may update this policy from time to time. The latest version will always be available at:
https://docs.core-php.dev/security/responsible-disclosure
## Contact
For security issues: support@host.uk.com
For general inquiries: https://github.com/host-uk/core-php/issues
## References
- [OWASP Vulnerability Disclosure Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html)
- [ISO/IEC 29147:2018](https://www.iso.org/standard/72311.html) - Vulnerability disclosure
- [ISO/IEC 30111:2019](https://www.iso.org/standard/69725.html) - Vulnerability handling processes
Reference in a new issue View git blame Copy permalink