- The vulnerability is verified with the minimum amount of experimentation and testing.
- A clear exploit is developed.
- A member of the PHP Security Consortium contacts the appropriate parties in order to provide the exploit as well as establish a clear channel of communication.
- We reserve the right to notify the appropriate parties before a vulnerability can be verified.
Public Disclosure Policy
- When we are aware of a public exploit, we will release as little information as necessary to promote the correction of affected systems.
- When we are not aware of any public exploit, we will not disclose any information until after corrective measures are available for affected systems or after a period of four weeks has expired. We will work with the appropriate parties to offer corrective measures as soon as possible, and we reserve the right to grant an extension.