From c4105b6243e8c0ae6882e847414df5930ac45ac7 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Fri, 22 May 2026 15:57:28 +0200 Subject: [PATCH] [skip ci] Add classification section to SECURITY.md (GH-22109) According to Volker, AI models respect this file when evaluating security issues. While we do link to php/policies:security-classification.rst, this clearly isn't enough to stop the frequent false-positive reports. I copied any relevant items from security-classification.rst, but also reworded them to be more explicit. --- SECURITY.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index deb5a7a950a4..8a45d86049ee 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,6 +11,29 @@ Vulnerability reports remain private until published. When published, you will be credited as a contributor, and your contribution will reflect the MITRE Credit System. +# Classification + +Issues commonly reported that are _not_ considered security issues include (but +are not limited to): + +- Invocation of specially crafted, malicious code intended to cause memory + violations. This commonly includes malicious error handlers, destructors or + `__toString()` functions. PHP does not offer sandboxing, and the execution of + untrusted code is always considered unsafe. Such issues are bugs, but not + security issues. They may still be reported, though please avoid reporting + the known issues. + +- Passing malicious arguments to functions clearly not intended to receive + unsanitized values, e.g. `mysqli_query()`. `escapeshellarg()` on the other + hand should clearly be hardened against unsafe inputs. + +- The use of legacy APIs or settings known to be insecure, particularly those + documented as such, or those with a secure alternative. + +- The use of FFI. + +- `open_basedir` or `disable_functions` bypasses. + # Vulnerability Policy Our full policy is described at