Security issues are typically sent via a security form.
If an issue is reported directly to a public page such as repository issue or a forum topic, get the message and delete the issue. Say thanks to the reporter and point to the security form for next time.
Verify that the issue is valid. Request more information if needed.
Create draft GitHub security advisory.
- Get CVSS score using NVD calculator.
- Choose severity based on the rating scale.
Ask reporter if he wants a credit for finding the issue. If so, point to his GitHub account.
When you're ready, request a CVE.
Prepare a pull request fixing the issue. GitHub allows doing it in a private fork.
It usually takes several days.
- Merge the patch pull request right before tagging next package release.
- Publish security advisory.
- Add CVE to FriendsOfPHP/security-advisories. See #488 as example.