Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in biscuit-php, please report it responsibly through one of the following channels:

1. GitHub Private Vulnerability Reporting — Use the Security Advisories page to privately report the issue.
2. Email — Send a detailed report to pierre.tondereau@protonmail.com.

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof of concept
• The version(s) affected
• Any suggested fix, if you have one

• Acknowledgement within 48 hours of your report
• Status updates as we investigate and work on a fix
• Credit in the security advisory (unless you prefer to remain anonymous)

We aim to release a patch for confirmed vulnerabilities as quickly as possible.

Since biscuit-php provides PHP bindings for Biscuit authorization tokens, the following areas are particularly relevant:

• Token creation, parsing, and validation
• Cryptographic key handling (Ed25519, Secp256r1)
• Memory safety in the Rust/PHP FFI boundary
• Authorization policy evaluation

Vulnerabilities in upstream dependencies (biscuit-auth, ext-php-rs) should be reported to their respective maintainers, but feel free to notify us as well so we can track the impact on this project.

We follow a coordinated disclosure process:

1. The reporter submits the vulnerability privately.
2. We confirm and assess the issue.
3. We develop and test a fix.
4. We release the fix and publish a security advisory.
5. The vulnerability details are made public after users have had reasonable time to update.