Found a security issue in Symfony2? Don't use the mailing-list or the bug tracker. All security issues must be sent to security [at] symfony-project.com instead. Emails sent to this address are forwarded to the Symfony core-team private mailing-list.
For each report, we first try to confirm the vulnerability. When it is confirmed, the core-team works on a solution following these steps:
- Send an acknowledgement to the reporter;
- Work on a patch;
- Write a post describing the vulnerability, the possible exploits, and how to patch/upgrade affected applications;
- Apply the patch to all maintained versions of Symfony;
- Publish the post on the official Symfony blog.
Note
While we are working on a patch, please do not reveal the issue publicly.