PHP Core Security Audit Results

The PHP Foundation is pleased to announce the completion of a comprehensive security audit of the PHP source code (php/php-src), commissioned by the Sovereign Tech Agency. This initiative was organized in partnership with the Open Source Technology Improvement Fund (OSTIF) and executed by the esteemed security group Quarkslab. Audit Overview Conducted over a two-month period in 2024, the audit encompassed: Development of a threat model tailored to php-src Manual code reviews Dynamic testing procedures Cryptographic assessments The collaboration between Quarkslab’s auditors and PHP maintainers ensured a thorough examination of the codebase. ⚠️ Due to budget constraints, the recent security audit focused on the most critical components of the PHP source code rather than the entire codebase. Organizations interested in sponsoring a comprehensive audit or additional assessments are encouraged to contact us! ⚠️ Key Findings The audit identified 27 issues, with 17 having securit ... Read full article.