| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: support@host.uk.com
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability and how an attacker might exploit it
This information will help us triage your report more quickly.
- Acknowledgment - We'll confirm receipt of your vulnerability report within 48 hours
- Assessment - We'll assess the vulnerability and determine its severity (typically within 5 business days)
- Fix Development - We'll develop a fix for the vulnerability
- Disclosure - Once a fix is available, we'll:
- Release a security patch
- Publish a security advisory
- Credit the reporter (unless you prefer to remain anonymous)
Security updates are released as soon as possible after a vulnerability is confirmed and patched. We follow these severity levels:
- Response time: Within 24 hours
- Patch release: Within 48 hours
- Examples: Remote code execution, SQL injection, authentication bypass
- Response time: Within 48 hours
- Patch release: Within 5 business days
- Examples: Privilege escalation, XSS, CSRF
- Response time: Within 5 business days
- Patch release: Next scheduled release
- Examples: Information disclosure, weak cryptography
- Response time: Within 10 business days
- Patch release: Next scheduled release
- Examples: Minor security improvements
The Core PHP Framework includes several security features:
- Automatic workspace scoping prevents cross-tenant data access
- Strict mode throws exceptions on missing workspace context
- Request validation ensures workspace context authenticity
- Bcrypt hashing for API keys (SHA-256 legacy support)
- Rate limiting per workspace with burst allowance
- HMAC-SHA256 webhook signing
- Scope-based permissions
- Multi-layer query validation (MCP package)
- Blocked keywords (INSERT, UPDATE, DELETE, DROP)
- Pattern detection for SQL injection attempts
- Read-only database connection support
- Table access controls
- Built-in HTML/JS sanitization
- XSS prevention
- Email validation and disposable email blocking
- Content Security Policy (CSP)
- HSTS, X-Frame-Options, X-Content-Type-Options
- Referrer Policy
- Permissions Policy
- Request whitelisting for sensitive operations
- Training mode for development
- Audit logging for all actions
When using the Core PHP Framework:
- Store API keys securely (never in version control)
- Use environment variables or secure key management
- Rotate keys regularly
- Use minimal required scopes
- Use read-only connections for MCP tools
- Configure blocked tables for sensitive data
- Enable query whitelisting in production
- Always validate workspace context in custom tools
- Use
RequiresWorkspaceContexttrait - Never bypass workspace scoping
- Configure appropriate limits per tier
- Monitor rate limit violations
- Implement backoff strategies in API clients
- Enable activity logging for sensitive operations
- Regularly review activity logs
- Set appropriate retention periods
See packages/core-mcp/changelog/2026/jan/security.md for recent security fixes.
We appreciate the security research community and would like to thank the following researchers for responsibly disclosing vulnerabilities:
- No vulnerabilities reported yet
We do not currently have a formal bug bounty program, but we deeply appreciate security research. Researchers who report valid security vulnerabilities will be:
- Credited in our security advisories (if desired)
- Listed in this document
- Given early access to security patches
For sensitive security reports, you may encrypt your message using our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[To be added if needed]
-----END PGP PUBLIC KEY BLOCK-----
- Security Email: support@host.uk.com
- General Support: https://github.com/host-uk/core-php/discussions
- GitHub Security Advisories: https://github.com/host-uk/core-php/security/advisories
When working with us according to this policy, you can expect us to:
- Respond to your report promptly
- Keep you informed about our progress
- Treat your report confidentially
- Credit your discovery publicly (if desired)
- Work with you to fully understand and resolve the issue
We request that you:
- Give us reasonable time to fix the vulnerability before public disclosure
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Do not access or modify data that doesn't belong to you
- Do not perform attacks that could harm reliability or integrity of our services