The security of the PHP API Stack is a top priority. As a free and open-source project under the MIT license, we rely on our community to help us identify and resolve issues. We appreciate the efforts of security researchers and users who help us maintain a high standard of security.
We are committed to providing security updates for the latest versions of the stack available on our primary branches.
| Branch | Supported |
|---|---|
main |
✅ |
develop |
✅ |
We encourage the responsible disclosure of security vulnerabilities. Please do not report security issues through public GitHub issues, discussions, or pull requests.
Instead, please use one of the following private methods:
The most secure way to report a vulnerability is directly through GitHub's private reporting feature. This ensures the information is encrypted and only accessible to the repository maintainers.
>> Submit a private vulnerability report <<
If you are unable to use GitHub's reporting tool, you can send an email to our private security alias:
To help us resolve the issue as quickly as possible, please provide a detailed report, including:
- A clear description of the vulnerability and its potential impact.
- Step-by-step instructions to reproduce the issue (Proof of Concept).
- The version or commit SHA of the code where the vulnerability was discovered.
- Any suggestions for mitigation or potential fixes, if you have them.
When you report a vulnerability to us, we commit to the following:
- We will acknowledge receipt of your report within 48 hours.
- We will investigate the issue and confirm the vulnerability.
- We will provide you with regular status updates on our progress.
- We will work to develop and release a patch as quickly as possible.
- We will notify you when the fix has been released and, if you agree, publicly credit you for your contribution.
This security policy applies to the code and configurations managed within the kariricode/php-api-stack repository. It does not cover vulnerabilities in third-party dependencies, which should be reported to their respective projects.
We follow a Coordinated Vulnerability Disclosure (CVD) model. Our policy is to only disclose a vulnerability publicly after a fix has been developed and made available.
We deeply appreciate your help in keeping the PHP API Stack and its users secure.