Important
This is a meta document discussing PHP security policies and processes. For the actual PHP security policy, see the PHP Vulnerability Disclosure Policy document.
PHP.net includes a security.txt file that complements the Vulnerability Disclosure Policy, aiding security vulnerability disclosure. This file implements the standard defined in RFC 9116, and more information is available at https://securitytxt.org.
RFC 9116 requires an Expires
field in security.txt
, and its recommendation
is for the Expires
field to be less than a year in the future. This provides
security researchers with confidence they are using our most up-to-date
reporting policies. To facilitate yearly updates to the Expires
field and
ensure freshness of the information in security.txt
, the PHP release managers
update the Expires
field as part of the X.Y.0 GA release.
From time-to-time, we may update security.txt
with new information, outside
of the yearly changes to the Expires
field.
All changes to security.txt
must be signed by a PHP release manager for a
currently supported version of PHP (at the time of the
changes). Release managers are the most logical choice for signing this file,
since we already publish their PGP keys.
To make changes to security.txt
:
-
Go to your local clone of web-php.
cd /path/to/web-php/.well-known
-
Remove the PGP signature that wraps the body of
security.txt
:gpg --decrypt --output security.txt security.txt
[!NOTE] To "decrypt"
security.txt
, you will need the public key of the release manager who last signed it in your GPG keychain. -
Make and save your changes to this file, e.g., update the
Expires
timestamp.There should be a "Signed by" comment in the file that looks similar to this:
# Signed by Ben Ramsey <[email protected]> on 2023-09-28.
Update this line with your name, the email address associated with the key you're using to sign the file, and the current date.
-
Sign your changes:
gpg --clearsign --local-user [email protected] --output security.txt.asc security.txt
[!WARNING] You cannot use
--output
to output the signature to the same file as the input file orgpg
will result in a signature wrapped around empty content. -
Last, replace
security.txt
withsecurity.txt.asc
and commit your changes:mv security.txt.asc security.txt git commit security.txt
Note
You may verify the signature with the following command:
gpg --verify security.txt