This project is currently in active development. We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.x.x | ✅ |
| < 0.x | ❌ |
We take security vulnerabilities seriously. If you believe you have found a security vulnerability, please report it to us as described below.
During Phase 1 governance, security vulnerabilities should be reported directly to the maintainer:
- Maintainer: @tommihip
- Email: tommi@redb.co
- GitHub Issues: Use the "Security" label
- DO NOT create a public GitHub issue for security vulnerabilities
- DO create a private security advisory or contact the maintainer directly
- DO provide detailed information about the vulnerability
- DO allow reasonable time for assessment and response
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: Potential impact on users and systems
- Steps to Reproduce: Detailed steps to reproduce the issue
- Environment: OS, Go version, database versions, etc.
- Proof of Concept: If possible, provide a minimal PoC
- Timeline: Any disclosure timeline requirements
- Initial Response: Within 24 hours
- Assessment: Within 3-5 business days
- Fix Development: Depends on severity and complexity
- Public Disclosure: Following responsible disclosure practices
For critical security vulnerabilities that require immediate attention:
- Use Emergency Procedures: Follow the emergency procedures in EMERGENCY_PROCEDURES.md
- Direct Contact: Contact the maintainer through available channels
- Emergency PR: Use
[EMERGENCY]prefix for urgent security fixes - Immediate Response: Critical issues will be addressed immediately
- CodeQL Analysis: Automated security scanning on all PRs
- Dependency Scanning: govulncheck for vulnerability detection
- Security Reviews: All code changes reviewed by maintainer
- Secure Development: Following Go security best practices
- Add security-focused code reviews
- Implement automated dependency updates
- Add security testing in CI/CD
- Establish security team structure
- Dedicated security team
- Automated vulnerability scanning
- Security-focused development practices
- Regular security audits
- Formal security review process
- Advanced threat modeling
- Comprehensive security testing
- Enterprise-grade security features
We follow responsible disclosure practices:
- Private Reporting: Vulnerabilities reported privately
- Assessment Period: Time to assess and develop fixes
- Coordinated Disclosure: Public disclosure after fixes are ready
- Credit: Recognition for responsible disclosure
- Critical: Immediate disclosure after fix
- High: Disclosure within 30 days
- Medium: Disclosure within 60 days
- Low: Disclosure within 90 days
- Follow secure coding practices
- Review code for security issues
- Report potential vulnerabilities
- Keep dependencies updated
- Use security-focused development tools
- Keep the application updated
- Follow security configuration guidelines
- Report security issues promptly
- Monitor security advisories
- Use secure deployment practices
- Use encrypted connections
- Implement proper access controls
- Regular security audits
- Monitor for suspicious activity
- Use TLS for all communications
- Implement proper authentication
- Monitor network traffic
- Regular security assessments
- Input validation and sanitization
- Output encoding
- Secure session management
- Regular security testing
- Primary: @tommihip (Maintainer)
- Backup: GitHub Security Advisories
- Emergency: Follow emergency procedures
As the project grows, security contacts will be updated to reflect the current governance phase and team structure.
- Go Security: golang.org/security
- OWASP: owasp.org
- CVE Database: cve.mitre.org
- Go Vulnerability Database: pkg.go.dev/vuln
This security policy will be updated as the project evolves through governance phases. Changes will be communicated through:
- Repository announcements
- Security advisories
- Documentation updates
- Community notifications
Note: This security policy is designed for Phase 1 governance and will evolve as the project grows. For the most current information, always refer to the latest version of this document.