This document explains how API Platform security issues are handled by the API Platform core team (API Platform being the code hosted in the api-platform
GitHub organization).
If you think that you have found a security issue in API Platform, don’t use the bug tracker and don’t publish it publicly. Instead, all security issues must be sent to kevin+api-platform-security [at] dunglas.fr.
For each report, we first try to confirm the vulnerability. When it is confirmed, the core team works on a solution following these steps:
check:security
command.While we are working on a patch, please do not reveal the issue publicly.
The resolution takes anywhere between a couple of days to some months depending on its complexity and the coordination with the downstream projects (see next paragraph).
API PLatform Core is part of the Tidelift subscription: verified updates for zero-day vulnerabilities, coordinated security responses, and immediate notifications of which of your applications are impacted, with the fix prepared for you!
In order to determine the severity of a security issue we take into account the complexity of any potential attack, the impact of the vulnerability and also how many projects it is likely to affect. This score out of 15 is then converted into a level of: Low, Medium, High, Critical, or Exceptional.
Score of between 1 and 5 depending on how complex it is to exploit the vulnerability
Scores from the following areas are added together to produce a score. The score for Impact is capped at 6. Each area is scored between 0 and 4.
Scores from the following areas are added together to produce a score. The score for Affected Projects is capped at 4.
This document has been adapted from the Symfony’s security policy.
Made with love by
Les-Tilleuls.coop can help you design and develop your APIs and web projects, and train your teams in API Platform, Symfony, Next.js, Kubernetes and a wide range of other technologies.
Learn more