They vary; generally, their maintainers mean well but that doesn't necessarily translate to secure code.
Cake lacks security expertise in their core team, unfortunately.
CodeIgniter is a bit conservative. (We must support PHP 5.2!) But then again, so is WordPress. They do listen to researchers.
Laravel is okay, but their lead dev is a bit of an egotistical and hypocritical ass. Recently, found and privately reported a PHP Object Injection vuln to Laravel; he said he didn't consider it a security issue, then when I disclosed publicly flipped his shit on me.
Symfony is great. Fabien has a cool head and responds well to security researchers.
Yii 2 is promising. I'll have to take another look before I call it bulletproof though.
My only experience with Zend has been interacting with their core devs on other media (Twitter, IRC); I haven't found any bugs in its core.
I'm out of PHP, but I'll second Symfony - Fabien and the Sensio people are the best folks I know in the PHP universe and they're careful and sober in their thinking.
Yes, but I originally emailed that address so I don't think it was a reaction to me (or even a passive aggressive gesture). Taylor had a week's heads up and chose to dismiss my report.
Cake lacks security expertise in their core team, unfortunately.
CodeIgniter is a bit conservative. (We must support PHP 5.2!) But then again, so is WordPress. They do listen to researchers.
Laravel is okay, but their lead dev is a bit of an egotistical and hypocritical ass. Recently, found and privately reported a PHP Object Injection vuln to Laravel; he said he didn't consider it a security issue, then when I disclosed publicly flipped his shit on me.
Symfony is great. Fabien has a cool head and responds well to security researchers.
Yii 2 is promising. I'll have to take another look before I call it bulletproof though.
My only experience with Zend has been interacting with their core devs on other media (Twitter, IRC); I haven't found any bugs in its core.