The PHP Foundation Launches an Ecosystem Security Team

Published on May 26th, 2026 by Eric L. Barnes

The PHP Foundation just announced a new Ecosystem Security Team, funded by a grant from Alpha-Omega, to improve security across PHP open source. Volker Dusch will lead the effort as the Ecosystem AI Security Engineer in Residence at the PHP Foundation, a six-month full-time role, with additional grant funding supporting the team’s broader goals.

Dusch is a PHP 8.5 Release Manager and a former PHPUnit maintainer, and he currently works on PHP performance tooling at Tideways. The grant comes through Alpha-Omega, an OpenSSF initiative operating under the Linux Foundation ecosystem focused on improving open source security.

Why Now

Part of what's driving this is the rise of AI-generated vulnerability reports and the wide availability of AI-powered tools for finding vulnerabilities. That puts more pressure on maintainers, many of whom are volunteers working on projects with only a few people behind them, or none at all.

In the announcement, Elizabeth Barron put it plainly:

"PHP is foundational to the modern web, and ensuring its security is essential for a significant portion of the web's functionality and integrity."

What the Team Will Do

The team's work covers triage, tooling, and support for maintainers. Here are the goals listed in the announcement:

Help triage vulnerability reports and disclose them responsibly as necessary
Work on tooling to discover, classify, and remediate security vulnerabilities
Share emerging techniques on using those tools effectively, and help the PHP ecosystem adopt them
Respect maintainer bandwidth, provide high-quality reports, and coordinate project access to new security tooling
Support projects with only a few maintainers, and find solutions for projects with no active maintainers at all

Dusch described his approach to getting started: