|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +We support fixing security issues on the following releases: |
| 6 | + |
| 7 | +| Version | Supported | Security fixes until |
| 8 | +| ------- | ------------------ | -------------------- |
| 9 | +| 5.x | :white_check_mark: | Currently supported |
| 10 | +| 4.x | :white_check_mark: | 36 Months after the release of CakePHP 5.0 (09 Sep 2026) |
| 11 | +| 3.x | :x: | No longer supported |
| 12 | +| 2.x | :x: | No longer supported |
| 13 | +| 1.x | :x: | No longer supported |
| 14 | + |
| 15 | +## Reporting a Vulnerability |
| 16 | + |
| 17 | +If you've found a security issue in CakePHP DebugKit, please use the following |
| 18 | +procedure instead of the normal bug reporting system. Instead of using the bug |
| 19 | +tracker, or one of the support forums please send an email to |
| 20 | +security [at] cakephp.org. Emails sent to this address go to the CakePHP core |
| 21 | +team on a private mailing list. |
| 22 | + |
| 23 | +For each report, we try to first confirm the vulnerability. Once confirmed, |
| 24 | +the CakePHP team will take the following actions: |
| 25 | + |
| 26 | +* Acknowledge to the reporter that we've received the issue, and are |
| 27 | + working on a fix. We ask that the reporter keep the issue confidential until we announce it. |
| 28 | +* Get a fix/patch prepared. |
| 29 | +* Prepare a post describing the vulnerability, and the possible exploits. |
| 30 | +* Release new versions of all affected versions. |
| 31 | +* Prominently feature the problem in the release announcement |
0 commit comments