Handling security fixes

This is the instruction for how to handle security fixes for currently active PHP branches. Note this is not an instruction on how to fix bugs, but only how to merge patch once you have a working one.

1. Post the patch to the bugs.php.net to the issue where it was reported. If the patch is big, use the “secret gist” function on github.com. Do not use github pulls.
2. Ask the original reporter to confirm that the patch works.
3. Verify that the tests accompanying the patch and other relevant tests work. Note that you can not use CI for that for now.

1. If you have access to PHP security repository, please proceed below. Otherwise, please contact somebody that does and send them the patch, or contact security@php.net if you do not know anybody who does.

- Make a branch for the patch in lowest version where it is relevant. If the patch is significantly different in other versions (such as 5.5 from 7.x), make the branches for all versions.

1. Create the NEWS entry for the fix and all other file updates that are necessary.
2. Commit the patch to the branch. Do not push the branch to main repo or your own public repo. Ensure that the commit message mentions bug number.
3. Verify that the tests still run (the repository may have changed while you were working on the patch and waiting for feedback).
4. Push the branch into the security repo.
5. Notify the RM for the branches affected about the existence of the pending fix, preferably in advance of the release date.

Releases are usually tagged every 4 weeks on Tuesday and released on Thursday, so to know the date when the next release will be tagged, take 4 weeks from the last release date and count two days back.

1. On the day of tagging or the day immediately before (consult with RM about relative timezones, etc.) merge the branches for the security fix into the main repository. Please note that if the fix is not the same for all active branches and you need to merge multiple branches, you will need to merge both the fix branch *and* the lower branch into higher branch.
2. Set the bug on bugs.php.net into public status. Note that doing that before pushing will allow the relevant bug to be auto-closed.
3. Push the result into the main repository
4. Verify that CI tests run clearly and that NEWS are updated for all relevant versions (including higher versions).
5. Verify that the bug on bugs.php.net is indeed closed (may take several minutes for the bots to catch up). If it did not happen, close the bug manually (quoting the commit highly recommended if it wasn't attached automatically).
6. After done merging all pending security fixes you had, notify the RMs.

CVE handling procedures TBD.