@@ -48,6 +48,46 @@ confirmed, the core-team works on a solution following these steps:
4848
4949 While we are working on a patch, please do not reveal the issue publicly.
5050
51+ ..note ::
52+
53+ The resolution takes anywhere between a couple of days to a month to solve
54+ an issue depending on its complexity and the coordination with the
55+ downstream projects (see next paragraph).
56+
57+ Collaborating with Downstream Open-Source Projects
58+ --------------------------------------------------
59+
60+ As Symfony is used by many large Open-Source projects, we standardized the way
61+ the Symfony security team collaborate on security issues with downstream
62+ projects. The process works as follows:
63+
64+ 1. After the Symfony security team has acknowledged a security issue, it
65+ immediately send an email to the downstream project security teams to inform
66+ them of the issue;
67+
68+ 2. The Symfony security team creates a private Git repository to ease the
69+ collaboration on the issue and access to this repository is given to the
70+ Symfony security team, to the Symfony contributors that are impacted by the
71+ issue, and to one representative of each downstream projects;
72+
73+ 3. All people with access to the private repository work on a solution to
74+ solve the issue via pull requests, code reviews, and comments;
75+
76+ 4. Once the fix is found, all involved projects collaborate to find the best
77+ date for a joint release (there is no guarantee that all releases will be at
78+ the same time but we will try hard to make them at about the same time).
79+
80+ The list of downstream projects participating in this process is kept as small
81+ as possible in order to better manage the flow of confidential information
82+ prior to disclosure. As such, projects are included at the sole discretion of
83+ the Symfony security team.
84+
85+ As of today, the following projects have validated this process and are part
86+ of the downstream projects included in this process:
87+
88+ * Drupal
89+ * eZPublish
90+
5191Security Advisories
5292-------------------
5393