WavePHP takes security seriously. We aim to ship a framework that is secure by default and easy to audit.

Please do not file a public issue for security bugs.

Email: security@wavestorm.example (Replace with the real address in your fork.)

We acknowledge security reports within 1 business day. We aim to provide a fix or mitigation plan within 7 days. We will coordinate with you on the disclosure date.

When reporting, please include:

• A clear description of the issue and its impact.
• Steps to reproduce (preferably with a minimal PoC).
• The WavePHP version, PHP version, and OS.
• Any known workarounds.

1. Acknowledge the report within 1 business day.
2. Investigate and reproduce.
3. Develop a fix on a private branch.
4. Coordinate a disclosure date with you.
5. Release a security patch with a public CVE if appropriate.
6. Credit you in the changelog (unless you'd prefer to stay anonymous).

The framework ships with the following controls on by default:

• SQL injection — every identifier is regex-checked; every value is bound through PDO prepared statements.
• XSS — .wave templates escape by default.
• CSRF — CsrfGuard middleware for state-changing requests.
• Session fixation — SessionGuard::login() regenerates the session ID.
• Path traversal — LocalStorageDisk walks ancestors and uses realpath to confine paths to the storage root.
• Header injection — SmtpMailDriver sanitizes every header, address, and SMTP command argument.
• JWT — pinned to HS256; alg=none is rejected; signature compared with hash_equals.
• Password hashing — password_hash with PASSWORD_BCRYPT or PASSWORD_ARGON2ID.
• Random numbers — random_bytes and random_int throughout.
• Rate limiting — throttle:N,M middleware for sensitive endpoints.
• Cookies — HttpOnly, SameSite=Lax, Secure (when HTTPS).

You must also:

• Keep PHP updated.
• Use HTTPS in production.
• Set APP_DEBUG=false in production.
• Rotate secrets.
• Audit third-party Composer packages.
• Run composer audit regularly.

• We will not silently fix a security issue without a CVE and a public changelog entry.
• We will not hold a fix hostage for an extended embargo.
• We will not share your report with third parties without your permission.

We thank the following security researchers for responsible disclosures:

(No entries yet.)

The following are out of scope for security reports against the framework itself:

• Bugs in your application code.
• Bugs in third-party Composer packages.
• Social engineering attacks against you or your users.
• Denial of service against your own infrastructure.

For these, please engage a security audit firm.