As above, so below.

This is not to diss Symfony, on the contrary, I believe having vulnerabilities detected does not mean the framework is insecure or not to be trusted.

What's not very logical is changing frameworks to another with a similar track record on the security camp due to some vulnerabilities found.

> Symfony applications are not vulnerable to this attack

And it definitely has not the same track record. For example, it has been audited by a security company in one of the first versions. So far I have only seen minor security vulnerabilities, nothing like what Rails brings every week.

Anyway, that's not why I changed. I found it to be much better architected, 100% decoupled (as opposed to monolithic). You can change anything you want if you have to, or if you find better vendors and want to try them. It has actually been designed from day 1, and not by someone who has read about design patterns little time before creating the framework, and calls himself 'the master chef'.

Having an OOP background, I thought (I don't remember why) Ruby/RoR community was some sort of elite, and everyone had a much higher minimum level (as opposed to php, where most people are noobs). I was disappointed, most of them didn't even understand what interfaces were for (no wonder ruby hasn't added them yet), let alone knowing the most basic design patterns. They also seem to enjoy laughing at developers from other languages. All this was a pain to watch, but I didn't care as long as Rails was perfect, and that's how I felt about it at first. But it wasn't, so I moved to Symfony2, and found out not only the framework was superior, but also the community was awesome.

And that [found vulnerabilities per time unit] * severity = [overall product security] is a fallacy in general.

In fact, showing that symfony has had vulnerabilities was a good thing in my book.

Anyway, it's great you've found some framework you feel comfortable with. That's an awesome thing to have.