docs: add security policy#2127
Open
iamdadmin wants to merge 3 commits into
Open
Conversation
innocenzi
requested changes
Apr 27, 2026
Member
innocenzi
left a comment
innocenzi
left a comment
There was a problem hiding this comment.
Only a syntax review, I haven't checked the policy itself, will need @aidan-casey, @xHeaven and @brendt's review
Contributor
Author
Obviously I can make all of those changes, but from a grammar standpoint;
So in this context, most of those should in fact be capitalised where used. If you need the headings to follow the convention so only the first character is a capital, I can re-work it so it doesn't use the proper nouns, but the references within the paragraphs themselves should remain capitalised. Would that work? (And I can obviously do a commit changing TempestPHP to Tempest...) |
Member
|
Sorry, but you're incorrect. None of those are "proper nouns", they're actually common nouns, even those referring to very specific concepts. Let's stick to sentence case to stay consistent with the current documentation and keep it easy to scan |
Co-authored-by: Enzo Innocenzi <enzo@innocenzi.dev>
|
This pull request is stale because it has been open for 30 days with no activity. |
|
This pull request was closed because it has been inactive for 1 day since being marked as stale. |
aidan-casey
requested changes
Jun 5, 2026
Member
aidan-casey
left a comment
aidan-casey
left a comment
There was a problem hiding this comment.
Generally I think this looks good. Let's get these changes made and get it merged.
|
|
||
| ## Reporting a security issue | ||
|
|
||
| If you think you have found a security issue within Tempest, don't create a GitHub issue and don't publish a pull request with proof of concept. In the first instance, report issues using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new), with as much information as you can provide, ideally including steps-to-recreate. Security reports submitted on this page are forwarded to the core maintainers only. |
Member
There was a problem hiding this comment.
Suggested change
| If you think you have found a security issue within Tempest, don't create a GitHub issue and don't publish a pull request with proof of concept. In the first instance, report issues using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new), with as much information as you can provide, ideally including steps-to-recreate. Security reports submitted on this page are forwarded to the core maintainers only. | |
| If you believe you have discovered a security issue in Tempest, please do not create a GitHub issue or publish a proof-of-concept pull request. | |
| Instead, report the issue using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new) and provide as much detail as possible, including steps to reproduce the issue where applicable. Reports submitted through this process are visible only to the core maintainers. |
|
|
||
| If you think you have found a security issue within Tempest, don't create a GitHub issue and don't publish a pull request with proof of concept. In the first instance, report issues using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new), with as much information as you can provide, ideally including steps-to-recreate. Security reports submitted on this page are forwarded to the core maintainers only. | ||
|
|
||
| The core maintainers will determine whether this is classified as a security issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub issue instead, at this time. |
Member
There was a problem hiding this comment.
Suggested change
| The core maintainers will determine whether this is classified as a security issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub issue instead, at this time. | |
| The core maintainers will determine whether this is classified as a security issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub issue instead. |
|
|
||
| ## Resolution process | ||
|
|
||
| The core maintainers will aim to acknowledge and validate any reported security issue promptly. |
Member
There was a problem hiding this comment.
Suggested change
| The core maintainers will aim to acknowledge and validate any reported security issue promptly. | |
| The core maintainers will acknowledge and validate reported security issues as promptly as possible. |
|
|
||
| The core maintainers will aim to acknowledge and validate any reported security issue promptly. | ||
|
|
||
| Following the validation of a security issue, the core maintainers will broadly: |
Member
There was a problem hiding this comment.
Suggested change
| Following the validation of a security issue, the core maintainers will broadly: | |
| Following the validation of a security issue, the core maintainers will: |
|
|
||
| 3. Consider offering a Rector automated fix within the release, where appropriate. | ||
|
|
||
| 4. Notify all subscribed Tempest parties via the usual channels (discord, blog, etc) that the updated is published. |
Member
There was a problem hiding this comment.
Suggested change
| 4. Notify all subscribed Tempest parties via the usual channels (discord, blog, etc) that the updated is published. | |
| 4. Notify all subscribed Tempest parties via the usual channels (Discord, blog, etc) that the updated is published. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I offered to type this up in the Discord a while ago, Aidan said to go ahead, so now committing this for review.
It's just a light touch and from what I can see outwardly just covers off what you're already doing.
I drew guidance from the following:
https://symfony.com/doc/current/contributing/code/security.html
https://github.com/github/opensource.guide/blob/main/_articles/security-best-practices-for-your-project.md
Personal knowledge (I'm an InfoSec Consultant)
If you'd like me to go into more detail or add anything else, I'm happy to work on it.
You may also need to manually link it in the "Security and quality" tab if it's not automatically detected.
In the initial commit I did suggest a security shared email address, but as GH has a private submission form which goes to core maintainers, I just updated to use that link.