January 17, 2019 Michael Cullum

Building secure software is a high priority for any project and Symfony is no exception. Symfony has for a long time now had a process for people to responsibly disclose security issues in order that they can be fixed in a way that keeps those who use the framework secure.

Together, with the European Commission as part of their Free and Open SourceSoftware Audit (FOSSA) project, we’re proud to announce that for a limited time we will be running a security bug bounty program worth up to 39,000 EUR. The aim is to encourage and reward security researchers and developers to look for security issues in Symfony, and then responsibly disclose those issues to us so that we can resolve them.

Depending on the severity of the issue, bounties will range from 350 EUR to 15,000 EUR and will be scored using our new severity scoring system which can be found in our security policy. This project is made possible by the generous funding of the European Commission who have given 39,000 EUR towards the project, and intigriti, their bug bounty platform partner. The bounty program will run from the 30th January 2019 until either the 15th October 2019 or until the budget is exhausted.

In order to be eligible, your issue must be within the scope defined and it must be reported through the intigriti reporting platform.

The scope of the program will include:

The latest official releases of supported branches of the Symfony Framework and its components;

Twig;

Symfony Flex;

Any other maintained bundles, polyfills or projects in the "Symfony" GitHub organisation;

Issues with generated code from the MakerBundle;

Recipes in the symfony/recipes repository.

If you wish to read further information on our security process then our security policy can be found here. You can read more information about the bug bounty program.

To report issues from the 30th January please visit this page.

If you wish to still report directly to us by emailing security [at] symfony [dot] com, you may do so but we are unable to distribute any financial bounty when issues are not reported through the intigriti platform.