If you have encountered a security-related issue with Yii, please use the security issue form to report any security issues you have encountered to us.

WARNING! DO NOT use the issue tracker or discuss it in the public forum as it will cause more damage than help.

Please note that as a non-commercial OpenSource project we are not able to pay bounties at the moment.

For each report, we try to first confirm the vulnerability. Once confirmed, the Yii team will take the following actions:

• Acknowledge to the reporter that we’ve received the issue, and are working on a fix. We ask that the reporter keep the issue confidential until we announce it.
• Get a fix/patch prepared.
• Prepare a post describing the vulnerability, and the possible exploits.
• Release new versions of all affected versions.
• Prominently feature the problem in the release announcement