I've just opened a PR on web-php to add a security.txt file to php.net1.
Since there's currently some discussion around security audit
priorities2, I decided to notify this list first and see if there are
any questions or concerns about adding a security.txt file.
This file implements the standard defined in RFC 91163 for a
machine-parsable format to aid in security vulnerability disclosure.
Of note:
-
We must include an Expires field, which the RFC suggests should be
less than a year in the future. I have set it for the assumed date
for GA of PHP 8.4/9.0. I recommend we update the expires time each
year on this date, since it's already a date of significance for us. -
I have signed it with my php.net release manager key. Since we
publish our release manager keys, I'm recommending that a release
manager for a currently supported version of PHP (at the time) be the
one to digitally sign this file after making changes.
For more details about security.txt, see https://securitytxt.org.
Cheers,
Ben