Please report security vulnerabilities on GitHub at: https://github.com/php/php-src/security/advisories/new
If for some reason you cannot use the form at GitHub, or you need to talk to somebody about a PHP security issue that might not be a bug report, please write to security@php.net.
Vulnerability reports remain private until published. When published, you will be credited as a contributor, and your contribution will reflect the MITRE Credit System.
Our full policy is described at https://github.com/php/policies/blob/main/security-classification.rst