Reporting a Security Issue

Found a security issue in Symfony2? Don’t use the mailing-list or the bug tracker. All security issues must be sent to security [at] instead. Emails sent to this address are forwarded to the Symfony core-team private mailing-list.

For each report, we first try to confirm the vulnerability. When it is confirmed, the core-team works on a solution following these steps:

  1. Send an acknowledgement to the reporter;
  2. Work on a patch;
  3. Write a post describing the vulnerability, the possible exploits, and how to patch/upgrade affected applications;
  4. Apply the patch to all maintained versions of Symfony;
  5. Publish the post on the official Symfony blog.


While we are working on a patch, please do not reveal the issue publicly.


Submitting a Patch


Running Symfony2 Tests