Skip to content

Commit dbe24be

Browse files
fabpotweaverryan
fabpot
authored and
weaverryan
committed
added information about downstream projects included in our security issue resolving process
1 parent 8854b29 commit dbe24be

File tree

1 file changed

+40
-0
lines changed

1 file changed

+40
-0
lines changed

contributing/code/security.rst

+40
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,46 @@ confirmed, the core-team works on a solution following these steps:
4848

4949
While we are working on a patch, please do not reveal the issue publicly.
5050

51+
.. note::
52+
53+
The resolution takes anywhere between a couple of days to a month to solve
54+
an issue depending on its complexity and the coordination with the
55+
downstream projects (see next paragraph).
56+
57+
Collaborating with Downstream Open-Source Projects
58+
--------------------------------------------------
59+
60+
As Symfony is used by many large Open-Source projects, we standardized the way
61+
the Symfony security team collaborate on security issues with downstream
62+
projects. The process works as follows:
63+
64+
1. After the Symfony security team has acknowledged a security issue, it
65+
immediately send an email to the downstream project security teams to inform
66+
them of the issue;
67+
68+
2. The Symfony security team creates a private Git repository to ease the
69+
collaboration on the issue and access to this repository is given to the
70+
Symfony security team, to the Symfony contributors that are impacted by the
71+
issue, and to one representative of each downstream projects;
72+
73+
3. All people with access to the private repository work on a solution to
74+
solve the issue via pull requests, code reviews, and comments;
75+
76+
4. Once the fix is found, all involved projects collaborate to find the best
77+
date for a joint release (there is no guarantee that all releases will be at
78+
the same time but we will try hard to make them at about the same time).
79+
80+
The list of downstream projects participating in this process is kept as small
81+
as possible in order to better manage the flow of confidential information
82+
prior to disclosure. As such, projects are included at the sole discretion of
83+
the Symfony security team.
84+
85+
As of today, the following projects have validated this process and are part
86+
of the downstream projects included in this process:
87+
88+
* Drupal
89+
* eZPublish
90+
5191
Security Advisories
5292
-------------------
5393

0 commit comments

Comments
 (0)