|
1 | | -# TempestPHP Security Policy |
| 1 | +# Tempest security policy |
2 | 2 |
|
3 | | -## Reporting a Security Issue |
| 3 | +## Reporting a security issue |
4 | 4 |
|
5 | | -If you think you have found a Security Issue within one or more of the TempestPHP repositories, don't use the Issues and don't publish a PR with proof of concept. In the first instance, report issues using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new), with as much information as you can provide, ideally including steps-to-recreate. Security reports submitted on this page are forwarded to the core maintainers, only. |
| 5 | +If you think you have found a security issue within Tempest, don't create a GitHub issue and don't publish a pull request with proof of concept. In the first instance, report issues using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new), with as much information as you can provide, ideally including steps-to-recreate. Security reports submitted on this page are forwarded to the core maintainers only. |
6 | 6 |
|
7 | | -The core maintainers will determine whether this is classified as a Security Issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub Issue instead, at this time. |
| 7 | +The core maintainers will determine whether this is classified as a security issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub issue instead, at this time. |
8 | 8 |
|
9 | | -## Resolution Process |
| 9 | +## Resolution process |
10 | 10 |
|
11 | | -The core maintainers will aim to acknowledge and validate any reported Security Issue promptly. |
| 11 | +The core maintainers will aim to acknowledge and validate any reported security issue promptly. |
12 | 12 |
|
13 | | -Following the validation of a Security Issue, the core maintainers will broadly: |
| 13 | +Following the validation of a security issue, the core maintainers will broadly: |
14 | 14 |
|
15 | 15 | 1. Work on a patch and commit it to the repository via GitHub following the usual processes. |
16 | 16 |
|
17 | 17 | 2. Issue a release containing the security release. |
18 | 18 |
|
19 | 19 | 3. Consider offering a Rector automated fix within the release, where appropriate. |
20 | 20 |
|
21 | | -4. Notify all subscribed TempestPHP parties via the usual channels (discord, blog, etc) that the updated is published. |
| 21 | +4. Notify all subscribed Tempest parties via the usual channels (discord, blog, etc) that the updated is published. |
22 | 22 |
|
23 | | -## Keeping TempestPHP Secure |
| 23 | +## Keeping Tempest secure |
24 | 24 |
|
25 | | -Several controls are in place to ensure that TempestPHP code releases are kept secure. |
| 25 | +Several controls are in place to ensure that Tempest code releases are kept secure. |
26 | 26 |
|
27 | | -1. All maintainers with write access to the repository (currently, just core maintainers) utilise Multi-Factor Authentication. |
| 27 | +1. All maintainers with write access to the repository use multi-factor authentication. |
28 | 28 |
|
29 | 29 | 2. Branch protection is configured on the repository. |
30 | 30 |
|
31 | 31 | 3. All access rights and privileges (including automated accounts, API keys) are assigned on a Principle of Least Privilege basis. |
32 | 32 |
|
33 | | -4. Every Pull Request requires the successful completion of code quality and static analysis checks, and is reviewed by a core maintainer. |
| 33 | +4. Every pull request requires the successful completion of code quality and static analysis checks, and is reviewed by a core maintainer. |
34 | 34 |
|
35 | | -5. TempestPHP actively upgrades dependencies based on deprecations and notices from upstream packages where used. |
| 35 | +5. Tempest actively upgrades dependencies based on deprecations and notices from upstream packages where used. |
0 commit comments