From 8cb536487139ee7e13f309bb5380ca1d2c00cc40 Mon Sep 17 00:00:00 2001
From: Ben Ramsey <ramsey@php.net>
Date: Thu, 5 Oct 2023 13:39:17 -0500
Subject: [PATCH] Add a security.txt file to php.net (#816)

This file implements the standard defined in RFC 9116 for a
machine-parsable format to aid in security vulnerability disclosure.

Of note:

1. We must include an Expires field, which the RFC suggests should be
   less than a year in the future. I have set it for the assumed date
   for GA of PHP 8.4/9.0. I recommend we update the expires time each
   year on this date, since it's already a date of significance for us.

2. I have signed it with my php.net release manager key. Since we
   publish our release manager keys, I'm recommending that a release
   manager for a currently supported version of PHP (at the time) be the
   one to digitally sign this file after making changes.

For more details about security.txt, see:

- https://securitytxt.org
- https://www.rfc-editor.org/rfc/rfc9116
---
 .well-known/security.txt | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .well-known/security.txt

diff --git a/.well-known/security.txt b/.well-known/security.txt
new file mode 100644
index 0000000000..47d85de7da
--- /dev/null
+++ b/.well-known/security.txt
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Contact: https://github.com/php/php-src/security/advisories/new
+Contact: mailto:security@php.net
+Expires: 2024-11-28T11:59:59.999Z
+Preferred-Languages: en
+Canonical: https://www.php.net/.well-known/security.txt
+Policy: https://github.com/php/php-src/security/policy
+
+# Signed by Ben Ramsey <ramsey@php.net> on 2023-09-29.
+
+# For instructions on how to update this file, read
+# <https://github.com/php/php-src/blob/master/docs/security-policies.md#making-changes-to-securitytxt>
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAEBCAAtFiEEObZBND2MEEsrFG3D+cOdwLlphUQFAmUXFR8PHHJhbXNleUBw
+aHAubmV0AAoJEPnDncC5aYVE5FsP/0vTzaiBB6ESAex1QPWU2tUFPiVsFBZN0/lo
+DHVokFrOQ0CiUaXmOltia8ZJK5WR5IRlKjm94GlgFqdg5Mn0sLvo9JF9e4eq2PZa
+AYj3rGL4C6GCXc8voKz9TXZ/eerkCSA2BY/0a1PM69dDam0XBcrCIndcil/3Evj0
+ztiWPWcMRHubBadxmDosoGtXwcw5u13IIGDmSsHwNtdkKNbS1eb1+o7DFSVQZicY
+hW5SI4pfjW5BsIYxHLR7F9qCtoTWkZwtwTqX5LNIPBh6M/C8aYl/3vAfikBbqvXu
+SPnObTGBNXeaHavVXMohBFNZsWdiJzBSAKQBhsqGTElVJfSbuzyaNIFN7LuuheS4
+Od7Ar9V8tUsfy/y9OisWOIbNVpm7FgQIDKTTXXJpI1THQ1kmsHKsPN5eFZw1O8ZE
+ZSztjMyo0jaLTlwrfzAmqSwEiuAQAv1fvc4PncHeat1SMFFG4wP1/lEfmzunmLiq
+yUzwii/5JOLWwAGfkuNaWTOTX7XJVyfTcr34nD+2WNxws4vrAA9KES2qhLBYpZ/K
+xELiqGcogoDBiQYZ7AnofsbghFQn1cpX90uUxdXXAimiUWgBm3ONnXX9YoNsYMdd
+eVMZ3JfOOUL8Gfe5vjaQex46o4zN/1g2baAmu5usfD21TLZEcrD9HhFiarEWjYv0
+Tr0agdzE
+=CJdS
+-----END PGP SIGNATURE-----