- The vulnerability is verified with the minimum amount of
experimentation and testing.
- A clear exploit is developed.
- A member of the PHP Security Consortium contacts the
appropriate parties in order to provide the exploit as well as
establish a clear channel of communication.
- We reserve the right to notify the appropriate parties
before a vulnerability can be verified.
Public Disclosure Policy
- When we are aware of a public exploit, we will release as
little information as necessary to promote the correction of
- When we are not aware of any public exploit, we will not
disclose any information until after corrective measures are
available for affected systems or after a period of four weeks has
expired. We will work with the appropriate parties to offer
corrective measures as soon as possible, and we reserve the right
to grant an extension.