Some weeks ago I have publicly disclosed 2 serious flaws in the PHP Security Guide of the PHP Security Consortium. The PHP community surely remembers the harsh response from the PHPSC leader in response to my publication. Until today he still claims, that the flaws only exist in my imagination (which is very strange because he has fixed them without proper credits) and that I haven't contacted 5 people among the consortium prior to my public disclosure.

Having learned from that experience I sent another flaw in their documentation directly to their official contact address, which is mentioned on their website. This time the flaw is located in their article about howto use Text_CAPTCHA.

The last 8 months of PHP history have been very terrifying. We have seen the rise of a Trustworthy PHPing campaign that even sucked in prominent members of the PHP community.

Today we are in a state that everyone who is able to create slides about input filtering is calling himself an international recognised PHP security expert.

Time has come to speak up and restore the balance.