From 84c2a7bc6773c9aa4f18fd45d066157d5c010dd1 Mon Sep 17 00:00:00 2001 From: iamdadmin Date: Mon, 27 Apr 2026 06:39:28 +0100 Subject: [PATCH 1/3] docs: add security.md --- SECURITY.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..9f2713238 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,35 @@ +# TempestPHP Security Policy + +## Reporting a Security Issue + +If you think you have found a Security Issue within one or more of the TempestPHP repositories, don't use the Issues and don't publish a PR with proof of concept. In the first instance, report issues to **security (at) tempestphp (dot) com**, with as much information as you can provide, ideally including steps-to-recreate. Emails sent to this address are forwarded to the core maintainers. + +The core maintainers will determine whether this is classified as a Security Issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub Issue instead, at this time. + +## Resolution Process + +The core maintainers will aim to acknowledge and validate any reported Security Issue promptly. + +Following the validation of a Security Issue, the core maintainers will broadly: + +1. Work on a patch and commit it to the repository via GitHub following the usual processes. + +2. Issue a release containing the security release. + +3. Consider offering a Rector automated fix within the release, where appropriate. + +4. Notify all subscribed TempestPHP parties via the usual channels (discord, blog, etc) that the updated is published. + +## Keeping TempestPHP Secure + +Several controls are in place to ensure that TempestPHP code releases are kept secure. + +1. All maintainers with write access to the repository (currently, just core maintainers) utilise Multi-Factor Authentication. + +2. Branch protection is configured on the repository. + +3. All access rights and privileges (including automated accounts, API keys) are assigned on a Principle of Least Privilege basis. + +4. Every Pull Request requires the successful completion of code quality and static analysis checks, and is reviewed by a core maintainer. + +5. TempestPHP actively upgrades dependencies based on deprecations and notices from upstream packages where used. \ No newline at end of file From fe3d5b7d30b1dda3f89dfd8000bdde58e8465b90 Mon Sep 17 00:00:00 2001 From: iamdadmin Date: Mon, 27 Apr 2026 06:46:50 +0100 Subject: [PATCH 2/3] docs: use Github's advisory reporting mechanism --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 9f2713238..840fc438d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ ## Reporting a Security Issue -If you think you have found a Security Issue within one or more of the TempestPHP repositories, don't use the Issues and don't publish a PR with proof of concept. In the first instance, report issues to **security (at) tempestphp (dot) com**, with as much information as you can provide, ideally including steps-to-recreate. Emails sent to this address are forwarded to the core maintainers. +If you think you have found a Security Issue within one or more of the TempestPHP repositories, don't use the Issues and don't publish a PR with proof of concept. In the first instance, report issues using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new), with as much information as you can provide, ideally including steps-to-recreate. Security reports submitted on this page are forwarded to the core maintainers, only. The core maintainers will determine whether this is classified as a Security Issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub Issue instead, at this time. From e089a15884ebde37b3c7ccbffe6f23ea7ac2f2ba Mon Sep 17 00:00:00 2001 From: iamDadmin Date: Tue, 28 Apr 2026 05:19:52 +0100 Subject: [PATCH 3/3] docs: apply grammar changes as requested Co-authored-by: Enzo Innocenzi --- SECURITY.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 840fc438d..2e53405e9 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,16 +1,16 @@ -# TempestPHP Security Policy +# Tempest security policy -## Reporting a Security Issue +## Reporting a security issue -If you think you have found a Security Issue within one or more of the TempestPHP repositories, don't use the Issues and don't publish a PR with proof of concept. In the first instance, report issues using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new), with as much information as you can provide, ideally including steps-to-recreate. Security reports submitted on this page are forwarded to the core maintainers, only. +If you think you have found a security issue within Tempest, don't create a GitHub issue and don't publish a pull request with proof of concept. In the first instance, report issues using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new), with as much information as you can provide, ideally including steps-to-recreate. Security reports submitted on this page are forwarded to the core maintainers only. -The core maintainers will determine whether this is classified as a Security Issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub Issue instead, at this time. +The core maintainers will determine whether this is classified as a security issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub issue instead, at this time. -## Resolution Process +## Resolution process -The core maintainers will aim to acknowledge and validate any reported Security Issue promptly. +The core maintainers will aim to acknowledge and validate any reported security issue promptly. -Following the validation of a Security Issue, the core maintainers will broadly: +Following the validation of a security issue, the core maintainers will broadly: 1. Work on a patch and commit it to the repository via GitHub following the usual processes. @@ -18,18 +18,18 @@ Following the validation of a Security Issue, the core maintainers will broadly: 3. Consider offering a Rector automated fix within the release, where appropriate. -4. Notify all subscribed TempestPHP parties via the usual channels (discord, blog, etc) that the updated is published. +4. Notify all subscribed Tempest parties via the usual channels (discord, blog, etc) that the updated is published. -## Keeping TempestPHP Secure +## Keeping Tempest secure -Several controls are in place to ensure that TempestPHP code releases are kept secure. +Several controls are in place to ensure that Tempest code releases are kept secure. -1. All maintainers with write access to the repository (currently, just core maintainers) utilise Multi-Factor Authentication. +1. All maintainers with write access to the repository use multi-factor authentication. 2. Branch protection is configured on the repository. 3. All access rights and privileges (including automated accounts, API keys) are assigned on a Principle of Least Privilege basis. -4. Every Pull Request requires the successful completion of code quality and static analysis checks, and is reviewed by a core maintainer. +4. Every pull request requires the successful completion of code quality and static analysis checks, and is reviewed by a core maintainer. -5. TempestPHP actively upgrades dependencies based on deprecations and notices from upstream packages where used. \ No newline at end of file +5. Tempest actively upgrades dependencies based on deprecations and notices from upstream packages where used. \ No newline at end of file