We actively support the following versions of Fetch PHP with security updates:
| Version | Supported |
|---|---|
| 3.x.x | ✅ |
| 2.x.x | ❌ |
| < 2.0 | ❌ |
If you discover a security vulnerability in Fetch PHP, please follow responsible disclosure:
- Do not create a public GitHub issue for security vulnerabilities
- Email security concerns to: tjthavarshan@gmail.com
- Include a detailed description of the vulnerability
- Provide steps to reproduce the issue
- Include any proof-of-concept code (if applicable)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Investigation: Initial assessment within 5 business days
- Updates: Regular updates on progress every 5-7 days
- Resolution: We aim to resolve critical issues within 30 days
- Day 0: Vulnerability reported
- Day 1-2: Acknowledgment sent
- Day 1-5: Initial assessment and severity classification
- Day 5-30: Development and testing of fix
- Day 30+: Public disclosure after fix is released
When using Fetch PHP:
- Always validate input before making HTTP requests
- Use HTTPS for all external API calls
- Sanitize response data before processing
- Implement proper authentication using bearer tokens or API keys
- Set appropriate timeouts to prevent hanging requests
- Use the latest version to benefit from security patches
This security policy covers:
- The core Fetch PHP library (
src/Fetch/) - Helper functions and utilities
- Authentication mechanisms
- HTTP request/response handling
Out of scope:
- Third-party dependencies (report to respective maintainers)
- Example code in documentation
- Development tools and scripts
We recognize security researchers who help improve Fetch PHP:
Thank you for helping keep Fetch PHP secure!