[sarciszewski]

They vary; generally, their maintainers mean well but that doesn't necessarily translate to secure code.

Cake lacks security expertise in their core team, unfortunately.

CodeIgniter is a bit conservative. (We must support PHP 5.2!) But then again, so is WordPress. They do listen to researchers.

Laravel is okay, but their lead dev is a bit of an egotistical and hypocritical ass. Recently, found and privately reported a PHP Object Injection vuln to Laravel; he said he didn't consider it a security issue, then when I disclosed publicly flipped his shit on me.

Symfony is great. Fabien has a cool head and responds well to security researchers.

Yii 2 is promising. I'll have to take another look before I call it bulletproof though.

My only experience with Zend has been interacting with their core devs on other media (Twitter, IRC); I haven't found any bugs in its core.

[eropple]

I'm out of PHP, but I'll second Symfony - Fabien and the Sensio people are the best folks I know in the PHP universe and they're careful and sober in their thinking.

[Phil_Latio]

Looks like after your "evil" public disclosure, they now added security contact: https://github.com/laravel/framework/commit/69e5c3c1daca8454...

[sarciszewski]

Yes, but I originally emailed that address so I don't think it was a reaction to me (or even a passive aggressive gesture). Taylor had a week's heads up and chose to dismiss my report.

[BringTheTanks]

Thanks, this was informative :)