Notification Policy

  1. The vulnerability is verified with the minimum amount of experimentation and testing.
  2. A clear exploit is developed.
  3. A member of the PHP Security Consortium contacts the appropriate parties in order to provide the exploit as well as establish a clear channel of communication.
  4. We reserve the right to notify the appropriate parties before a vulnerability can be verified.

Public Disclosure Policy

  1. When we are aware of a public exploit, we will release as little information as necessary to promote the correction of affected systems.
  2. When we are not aware of any public exploit, we will not disclose any information until after corrective measures are available for affected systems or after a period of four weeks has expired. We will work with the appropriate parties to offer corrective measures as soon as possible, and we reserve the right to grant an extension.