Stefan have announced officially on his blog that he's finally retired from the PHP Security Response Team. The reasons are many, but according to Stefan the most important reason was that he realised that any attempt to improve the security of PHP from the inside is futile. Good luck for Stefan and hope this new decision will be positive for PHP and the PHP community since he announced that now he'll post advisories without waiting for patches. This make think myself, about a security issue I have talked about to some PHP expert but didn't get any response. Probably Stefan will be interested to dig into it.

The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin.