This page is a work in progress.
The Go CNA is a CVE Numbering Authority, which issues CVE IDs and publishes CVE Records for public vulnerabilities in the Go ecosystem. It is a sub-CNA of the Google CNA.
The Go CNA covers vulnerabilities in the Go project (the Go standard library and sub-repositories) and public vulnerabilities in importable Go modules that are not already covered by another CNA.
This scope is intended to explicitly exclude vulnerabilities in applications or packages written in Go that are not importable (for example, anything in package main
or an internal/
directory).
To report vulnerabilities in the Go project, refer to go.dev/security/policy.
TODO: add instructions
For more information, email security@golang.org.