From 4029388e381d912b7c955dc67caafac81061e542 Mon Sep 17 00:00:00 2001
From: Fabien Potencier <fabien.potencier@gmail.com>
Date: Tue, 14 May 2013 14:59:47 +0200
Subject: [PATCH] added information about downstream projects included in our
 security issue resolving process

---
 contributing/code/security.rst | 40 ++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/contributing/code/security.rst b/contributing/code/security.rst
index 5d895101380..d24bc734582 100644
--- a/contributing/code/security.rst
+++ b/contributing/code/security.rst
@@ -48,6 +48,46 @@ confirmed, the core-team works on a solution following these steps:
 
     While we are working on a patch, please do not reveal the issue publicly.
 
+.. note::
+
+    The resolution takes anywhere between a couple of days to a month to solve
+    an issue depending on its complexity and the coordination with the
+    downstream projects (see next paragraph).
+
+Collaborating with Downstream Open-Source Projects
+--------------------------------------------------
+
+As Symfony is used by many large Open-Source projects, we standardized the way
+the Symfony security team collaborate on security issues with downstream
+projects. The process works as follows:
+
+1. After the Symfony security team has acknowledged a security issue, it
+immediately send an email to the downstream project security teams to inform
+them of the issue;
+
+2. The Symfony security team creates a private Git repository to ease the
+collaboration on the issue and access to this repository is given to the
+Symfony security team, to the Symfony contributors that are impacted by the
+issue, and to one representative of each downstream projects;
+
+3. All people with access to the private repository work on a solution to
+solve the issue via pull requests, code reviews, and comments;
+
+4. Once the fix is found, all involved projects collaborate to find the best
+date for a joint release (there is no guarantee that all releases will be at
+the same time but we will try hard to make them at about the same time).
+
+The list of downstream projects participating in this process is kept as small
+as possible in order to better manage the flow of confidential information
+prior to disclosure. As such, projects are included at the sole discretion of
+the Symfony security team.
+
+As of today, the following projects have validated this process and are part
+of the downstream projects included in this process:
+
+* Drupal
+* eZPublish
+
 Security Advisories
 -------------------
 

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/symfony/symfony-docs/pull/2639.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony-docs/pull/2639.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony-docs/pull/2639.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony-docs/pull/2639.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>