Merge pull request #1077 from cakephp/add-security-policy

LordSimal · web-flow · commit 14a76355225f · 2026-05-29T15:22:40.000+02:00
Add security policy
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are applied to all active versions listed in the
+[version map](https://github.com/cakephp/debug_kit/wiki#version-map).
+Versions marked as EOL no longer receive fixes.
+
+## Reporting a Vulnerability
+
+If you've found a security issue in CakePHP DebugKit, please use the following
+procedure instead of the normal bug reporting system. Instead of using the bug
+tracker, or one of the support forums please send an email to
+security [at] cakephp.org. Emails sent to this address go to the CakePHP core
+team on a private mailing list.
+
+For each report, we try to first confirm the vulnerability. Once confirmed,
+the CakePHP team will take the following actions:
+
+* Acknowledge to the reporter that we've received the issue, and are
+  working on a fix. We ask that the reporter keep the issue confidential until we announce it.
+* Get a fix/patch prepared.
+* Prepare a post describing the vulnerability, and the possible exploits.
+* Release new versions of all affected versions.
+* Prominently feature the problem in the release announcement
