I've just opened a PR on web-php to add a security.txt file to php.net[1].
Since there's currently some discussion around security audit priorities[2], I decided to notify this list first and see if there are any questions or concerns about adding a security.txt file.
This file implements the standard defined in RFC 9116[3] for a machine-parsable format to aid in security vulnerability disclosure. Of note: 1. We must include an Expires field, which the RFC suggests should be less than a year in the future. I have set it for the assumed date for GA of PHP 8.4/9.0. I recommend we update the expires time each year on this date, since it's already a date of significance for us. 2. I have signed it with my php.net release manager key. Since we publish our release manager keys, I'm recommending that a release manager for a currently supported version of PHP (at the time) be the one to digitally sign this file after making changes. For more details about security.txt, see <https://securitytxt.org>. Cheers, Ben [1]: https://github.com/php/web-php/pull/816 [2]: https://externals.io/message/121135 [3]: https://www.rfc-editor.org/rfc/rfc9116
OpenPGP_signature
Description: OpenPGP digital signature
