January 29, 2018 Fabien Potencier

Handling security issues responsibly and transparently is key to the success of any Open-Source project. Symfony is no exception. We documented the process of our security management policy a long time ago. Communication with the reporter, working on a fix, testing and validating the fix, coordinating with downstream projects, assigning CVE numbers, explaining the issue in a detailed blog post, and publishing security versions are some of the activities required to handle a security issue. From the initial email to resolution, dealing with a security issue can take as much as 6 months. That's a lot of time and energy. Up until now, the core team was in charge of the whole process. And I must admit that working on security issues on top of managing the Symfony project is getting difficult.

Today, I'm very happy and proud to announce that we are getting to the next level. Michael Cullum accepted to join the Symfony Core Team to lead the security team. He will be responsible for managing the security process.

You probably know Michael already. He is the secretary of PHP FIG and the PHPBB manager, a project that uses Symfony extensively.