Go Security Policy

Implementation

Reporting a Security Bug

Please report to us any issues you find. This document explains how to do that and what to expect in return.

All security bugs in the Go distribution should be reported by email to security@golang.org. This mail is delivered to a small security team. Your email will be acknowledged within 24 hours, and you'll receive a more detailed response to your email within 72 hours indicating the next steps in handling your report.

To ensure your report is not marked as spam, please include the word "vulnerability" anywhere in your email. Please use a descriptive subject line for your report email.

After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement. These updates will be sent at least every five days. In reality, this is more likely to be every 24-48 hours.

If you have not received a reply to your email within 48 hours or you have not heard from the security team for the past five days please contact the Go security team directly:

Primary security coordinator: Filippo Valsorda.
Secondary coordinator: Adam Langley.
If you receive no response, mail golang-dev@googlegroups.com or use the golang-dev web interface.

Please note that golang-dev is a public discussion forum. When escalating on this list, please do not disclose the details of the issue. Simply state that you're trying to reach a member of the security team.

Flagging Existing Issues as Security-related

If you believe that an existing issue is security-related, we ask that you send an email to security@golang.org. The email should include the issue ID and a short description of why it should be handled according to this security policy.

Disclosure Process

The Go project uses the following disclosure process:

Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process.
The issue is confirmed and a list of affected software is determined.
Code is audited to find any potential similar problems.
If it is determined, in consultation with the submitter, that a CVE-ID is required, the primary handler obtains one via email to oss-distros.
Fixes are prepared for the two most recent major releases and the head/master revision. These fixes are not yet committed to the public repository.
A notification is sent to the golang-announce mailing list to give users time to prepare their systems for the update.
Three working days following this notification, the fixes are applied to the public repository and a new Go release is issued.
On the date that the fixes are applied, announcements are sent to golang-announce, golang-dev, and golang-nuts.

This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently.

For security issues that include the assignment of a CVE-ID, the issue is listed publicly under the "Golang" product on the CVEDetails website as well as the National Vulnerability Disclosure site.

Receiving Security Updates

The best way to receive security announcements is to subscribe to the golang-announce mailing list. Any messages pertaining to a security issue will be prefixed with [security].

Comments on This Policy

If you have any suggestions to improve this policy, please send an email to golang-dev@golang.org for discussion.

PGP Key for security@golang.org

We accept PGP-encrypted email, but the majority of the security team are not regular PGP users so it's somewhat inconvenient. Please only use PGP for critical security reports.