Last year Yii was chosen to be in session 3 of the GitHub Secure Open Source Fund as a project that impacts a significant part of the PHP landscape.

We were in good company together with many wonderful projects such as LLVM, Node.js, CPython, curl, ImageMagick, webpack, and jQuery.

It was quite an experience. We've verified that we were already doing well and learned and adopted new things. As a result, Yii became an even more secure base for your projects.

What we've learned/adopted:

• GitHub actions could be an attack vector. We've revised our actions.
• Immutable releases are great. We've started to use these immediately.
• The security report could be out of the framework scope to fix in case multiple practices recommended in the documentation are violated. It will help us to decide on issues faster and more precisely.
• Creating public threat models could be beneficial for the project. We'll definitely try it in the future.
• Security configurations are a great way to enforce particular rules for the whole GitHub organization. Very useful for Yii3, which has many packages.
• Having an incident response plan is a good idea since when the time comes, it's better to follow the plan instead of making things up on the go.

Security is not a one-time action; it is a process, and we are committed to it.

Thanks, GitHub!