Movatterモバイル変換

[0]ホーム
URL:

  1. Documentation
  2. Security
  3. Go Security Policy

Go Security Policy

Overview

This document explains the Go Security team’s process for handling issuesreported and what to expect in return.

Reporting a Security Bug

All security bugs in the Go distribution should be reported by email tosecurity@golang.org. This mail is delivered tothe Go Security team.

To ensure your report is not marked as spam,please include the word“vulnerability” anywhere in your email. Please use a descriptive subject linefor your report email.

Your email will be acknowledged within 7 days, and you’ll be kept up to datewith the progress until resolution. Your issue will be fixed or made publicwithin 90 days.

If you have not received a reply to your email within 7 days, please follow upwith the Go Security team again atsecurity@golang.org. Please make sure the wordvulnerability is in your email.

If after 3 more days you have still not received an acknowledgement of yourreport, it is possible that your email might have been marked as spam. In thatcase, pleasefile an issue here. Select“I want toreport a technical security or an abuse risk related bug in a Google product(SQLi, XSS, etc.)”, and list“Go” as the affected product.

Tracks

Depending on the nature of your issue, it will be categorized by the GoSecurity team as an issue in the PUBLIC, PRIVATE, or URGENT track. All securityissues will be issued CVE numbers.

The Go Security team does not assign traditional fine-grained severity labels(e.g CRITICAL, HIGH, MEDIUM, LOW) to security issues because severity dependshighly on how a user is using the affected API or functionality.

For example, the impact of a resource exhaustion issue in theencoding/jsonparser depends on what is being parsed. If the user is parsing trusted JSONfiles from their local filesystem, the impact is likely to be low. If the useris parsing untrusted arbitrary JSON from an HTTP request body, the impact may bemuch higher.

That said, the following issue tracks do signal how severe and/or wide-reachingthe Security team believes an issue to be. For example, an issue with medium tosignificant impact for many users is a PRIVATE track issue in this policy, andan issue with negligible to minor impact, or which affects only a small subsetof users, is a PUBLIC track issue.

PUBLIC

Issues in the PUBLIC track affect niche configurations, have very limitedimpact, or are already widely known.

PUBLIC track issues are labeled withProposal-Security,discussed through theGo proposal review processfixed in public, and get backported to the next scheduledminorreleases (which occur ~monthly). The release announcementincludes details of these issues, but there is no pre-announcement.

Examples of past PUBLIC issues include:

PRIVATE

Issues in the PRIVATE track are violations of committed security properties.

PRIVATE track issues arefixed in the next scheduledminorreleases, and are kept private until then.

Three to seven days before the release, a pre-announcement is sent togolang-announce, announcing the presence of one or more security fixes in theupcoming releases, and whether the issues affect the standard library, thetoolchain, or both, as well as reserved CVE IDs for each of the fixes.

For issues that are present in amajor version release candidate,we follow the same process, including fixes in the next scheduled releasecandidate.

Some examples of past PRIVATE issues include:

URGENT

URGENT track issues are a threat to the Go ecosystem’s integrity, or are beingactively exploited in the wild leading to severe damage. There are no recentexamples, but they would include remote code execution in net/http, orpractical key recovery in crypto/tls.

URGENT track issues are fixed in private, andtrigger an immediate dedicatedsecurity release, possibly with no pre-announcement.

Flagging Existing Issues as Security-related

If you believe that anexisting issue is security-related, we askthat you send an email tosecurity@golang.org.The email should include the issue ID and a short description of why it shouldbe handled according to this security policy.

Disclosure Process

The Go project uses the following disclosure process:

  1. Once the security report is received it is assigned a primary handler. Thisperson coordinates the fix and release process.

  2. The issue is confirmed and a list of affected software is determined.

  3. Code is audited to find any potential similar problems.

  4. If it is determined, in consultation with the submitter, that a CVE numberis required, the primary handler will obtain one.

  5. Fixes are prepared for the two most recent major releases and thehead/master revision. Fixes are prepared for the two most recent major releasesand merged to head/master.

  6. On the date that the fixes are applied, announcements are sent togolang-announce,golang-dev, andgolang-nuts.

This process can take some time, especially when coordination is required withmaintainers of other projects. Every effort will be made to handle the bug inas timely a manner as possible, however it’s important that we follow theprocess described above to ensure that disclosures are handled consistently.

For security issues that include the assignment of a CVE number, the issue islisted publicly under the“Golang” product on the CVEDetails websiteas well as theNational Vulnerability Disclosure site.

Receiving Security Updates

The best way to receive security announcements is to subscribe to thegolang-announcemailing list. Any messages pertaining to a security issue will be prefixed with[security].

Comments on This Policy

If you have any suggestions to improve this policy, pleasefile an issue for discussion.

go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic.Learn more.
[8]ページ先頭
©2009-2026 Movatter.jp