_content/security.html - website - Git at Google

 <!--{
 	"Title": "Go Security Policy"
 }-->

 <h2>Implementation</h2>

 <h3>Reporting a Security Bug</h3>

 <p>
 Please report to us any issues you find.
 This document explains how to do that and what to expect in return.
 </p>

 <p>
 All security bugs in the Go distribution should be reported by email to
 <a href="mailto:security@golang.org">security@golang.org</a>.
 This mail is delivered to a small security team.
 Your email will be acknowledged within 24 hours, and you'll receive a more
 detailed response to your email within 72 hours indicating the next steps in
 handling your report.
 </p>

 <p>
 To ensure your report is not marked as spam, please include the word "vulnerability"
 anywhere in your email. Please use a descriptive subject line for your report email.
 </p>

 <p>
 After the initial reply to your report, the security team will endeavor to keep
 you informed of the progress being made towards a fix and full announcement.
 These updates will be sent at least every five days.
 In reality, this is more likely to be every 24-48 hours.
 </p>

 <p>
 If you have not received a reply to your email within 48 hours or you have not
 heard from the security team for the past five days please contact the Go
 security team directly:
 </p>

 <ul>
 <li>Primary security coordinator: <a href="mailto:filippo@golang.org">Filippo Valsorda</a>.</li>
 <li>Secondary coordinator: <a href="mailto:agl@golang.org">Adam Langley</a>.</li>
 <li>If you receive no response, mail <a href="mailto:golang-dev@googlegroups.com">golang-dev@googlegroups.com</a> or use the <a href="https://groups.google.com/forum/#!forum/golang-dev">golang-dev web interface</a>.</li>
 </ul>

 <p>
 Please note that golang-dev is a public discussion forum.
 When escalating on this list, please do not disclose the details of the issue.
 Simply state that you're trying to reach a member of the security team.
 </p>

 <h3>Flagging Existing Issues as Security-related</h3>

 <p>
 If you believe that an <a href="https://golang.org/issue">existing issue</a>
 is security-related, we ask that you send an email to
 <a href="mailto:security@golang.org">security@golang.org</a>.
 The email should include the issue ID and a short description of why it should
 be handled according to this security policy.
 </p>

 <h3>Disclosure Process</h3>

 <p>The Go project uses the following disclosure process:</p>

 <ol>
 <li>Once the security report is received it is assigned a primary handler.
 This person coordinates the fix and release process.</li>
 <li>The issue is confirmed and a list of affected software is determined.</li>
 <li>Code is audited to find any potential similar problems.</li>
 <li>If it is determined, in consultation with the submitter, that a CVE-ID is
 required, the primary handler obtains one via email to
 <a href="https://oss-security.openwall.org/wiki/mailing-lists/distros">oss-distros</a>.</li>
 <li>Fixes are prepared for the two most recent major releases and the head/master
 revision. These fixes are not yet committed to the public repository.</li>
 <li>A notification is sent to the
 <a href="https://groups.google.com/group/golang-announce">golang-announce</a>
 mailing list to give users time to prepare their systems for the update.</li>
 <li>Three working days following this notification, the fixes are applied to
 the <a href="https://go.googlesource.com/go">public repository</a> and a new
 Go release is issued.</li>
 <li>On the date that the fixes are applied, announcements are sent to
 <a href="https://groups.google.com/group/golang-announce">golang-announce</a>,
 <a href="https://groups.google.com/group/golang-dev">golang-dev</a>, and
 <a href="https://groups.google.com/group/golang-nuts">golang-nuts</a>.
 </ol>

 <p>
 This process can take some time, especially when coordination is required with
 maintainers of other projects. Every effort will be made to handle the bug in
 as timely a manner as possible, however it's important that we follow the
 process described above to ensure that disclosures are handled consistently.
 </p>

 <p>
 For security issues that include the assignment of a CVE-ID,
 the issue is listed publicly under the
 <a href="https://www.cvedetails.com/vulnerability-list/vendor_id-14185/Golang.html">"Golang" product on the CVEDetails website</a>
 as well as the
 <a href="https://web.nvd.nist.gov/view/vuln/search">National Vulnerability Disclosure site</a>.
 </p>

 <h3>Receiving Security Updates</h3>

 <p>
 The best way to receive security announcements is to subscribe to the
 <a href="https://groups.google.com/forum/#!forum/golang-announce">golang-announce</a>
 mailing list. Any messages pertaining to a security issue will be prefixed
 with <code>[security]</code>.
 </p>

 <h3>Comments on This Policy</h3>

 <p>
 If you have any suggestions to improve this policy, please send an email to
 <a href="mailto:golang-dev@golang.org">golang-dev@golang.org</a> for discussion.
 </p>

 <h3>PGP Key for <a href="mailto:security@golang.org">security@golang.org</a></h3>

 <p>
 We accept PGP-encrypted email, but the majority of the security team
 are not regular PGP users so it's somewhat inconvenient. Please only
 use PGP for critical security reports.
 </p>

 <pre>
 -----BEGIN PGP PUBLIC KEY BLOCK-----

 mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te
 +fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT
 J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L
 ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75
 8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3
 oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc
 7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF
 X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN
 JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk
 xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE
 0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB
 tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCTgQTAQoA
 OAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBGROHzjvGgTlE7xbTTpG0ZF5
 Wlg4BQJd8rfQAAoJEDpG0ZF5Wlg4198P/2YDcEwEqWBWjriLFXdTGOcVxQ7AC/mX
 Fe576zwgmrbqO00IaHOOqZZYXKd078FZyg2qQKILvfSAQB7EtLwfPEgv3Wca/Jb/
 ma2hNz+AveiWDVuF4yPx8qvFer/6Yzv9+anfpUP//qfo/7L3VSYKwNAcqqNGvBMh
 fLb7oWDSkdRmcu57c4WYv8i5BtxMRXs581r836bG3U0z0WQG8j64RpYp6sipqJnv
 09l3R5SXd7kkS26ntLU4fgTNJ6Eim7YoXsqLtVe4VZHGYz3D0yHnvCBpbJa2WpP2
 QT6TtFizvKtQlC0k1uo88VV8DyRdp2V6BO9cSNecvXZh81H0SjtD9MwdMnpX3shT
 LKu3L6wlJtb/EJVZg6+usJo0VunUdNTiBmy4FJrko7YYOSVHKKBA6dooufGNUSjw
 9Tieqh4jnzpg6+aIrNugZIrABH2G0GD/SvUSfjli0i+D1mqQSsMcLzE1BBcichpS
 htjv6fU8nI5XXmloUn1P2WBwziemsb7YcfBLNVeCxlAmoJn1hnOPjNzmKfVZk95E
 VJNvVB76JCh+S/0bAba5+nBZ1HRn/FAbs9vfUpp1sOFf25jX9bDAZvkqwgyPpNv/
 jONK0zNXRD5AfKdCA1nkMI70NNS5oBxPowp95eKyuw4hCINvfuPq5sLJa3cIMj3M
 MVO91QDs9eXxuQINBFXI1h0BEACXD0f/XJtCzgrdcoDWOggjXqu1r0pLt7Dvr5qB
 ejSN5JHAwRB8i07Fi9+Gajz7J2flNaxNuJ8ZTwvf4QFMxFHLNaFtoY7RaLPDsFNU
 nufklb6d0+txSmn+KVSToBRXFo7/z9H735Ulmmh6gsddiWgUY25fnwYsjLWNIG8u
 wuX8qLkg6se8PUYrpN+06XmPwg8LUtIGvAYk7zTfHvBR1A/+2wo39A9HymcGe2sS
 CtAVIj5DeqsK9UyZecGVi6aN84G3ykoyAH3+LH4dY3ymJA1CInEP5eMQzpfBSZCo
 hHvLkYg0paC6d0Ka1gjNWBj2nYGvpQ+tMmLXYt8q/mzZHo2fEUe/9p3b0Kk9N4sl
 GxKoV+oEv3r0EKmP+KxeZASbgW3OJmJ0BFejXYqIYCc8X2i2Ks0enj7yHA0Hexx/
 twjnfLydmK871zAjsGgKVjpkhpuMNwnGMr7bh6ajPeYnlIelmlAtJv2jwZsst9c6
 r7i7MRfYDfR+Gu2xBv/HQYzi/cRTVo/aaO6SzJhuCV21jri0PfnCoAD2ZWXlTH6D
 UehQG8vDSH6XPCHfvQ0nD/8hO8FBVS0MwH3qt8g/h8vmliXmmZHP6+y4nSJfObTm
 oGAp9Ko7tOj1JbFA91fz1Hi7T9dUCXDQCT1lx6rdb3q+x4RRNHdqhkIwg+LB9wNq
 rrStZQARAQABiQI2BBgBCgAgAhsMFiEEZE4fOO8aBOUTvFtNOkbRkXlaWDgFAl3y
 uFYACgkQOkbRkXlaWDiMgw//YvO2nZxWNSnQxqCEi8RXHV/3qsDDe8LloviFFV/M
 GSiGZBOhLJ0bFm9aKKPoye5mrZXBKvEVPu0h1zn43+lZruhARPiTu2AecQ7fstET
 PyXMZJ4mfLSFIaAumuH9dQEQJA9RRaFK8uzPRgAxVKyuNYS89psz/RvSeRM3B7Li
 m9waLs42+5xtltR5F6HKPhrgS/rrFHKMrNiDNMMG2FYu1TjonA9QnzAxDPixH3A1
 VNEj6tVqVK8wCMpci3YaXZJntX0H3oO6qloL8qIpSMVrIiD4IDBDK13Jn3OJ7veq
 iDn1mbGFYtfu8R+QV2xeDSJ6nEKfV3Mc3PFDbJMdzkOCdvExC8qsuUOqO4J6dRt7
 9NVptL0xZqlBjpF9fq9XCt7ZcQLDqbUF/rUs58yKSqEGrruXTx4cTLtwkTLcqJOw
 /CSgFtE8cvY51uupuEFzfmt8JLNTxsm2X2NlsZYxFJhamVrGFroa55nqgKe3tF7e
 AQBU641SZRYloqGgPK+4PB79vV4RyEDETOpD3PvpN2IafVWDacI4LXW0a4EKnPUj
 7JwRBmZxESda3OixSONv/VcuEOyGAZUppbLM4XYTtslRIqdQJFr7Vkza/VIoUqaY
 MkFIioHf2QndVwDXt3d0b0aAGaLeMRD1MFGtLNigEDD45nPeEpuGzXkUATpVWGiV
 bIs=
 =Nx85
 -----END PGP PUBLIC KEY BLOCK-----
 </pre>
	<!--{
	"Title": "Go Security Policy"
	}-->

	<h2>Implementation</h2>

	<h3>Reporting a Security Bug</h3>

	<p>
	Please report to us any issues you find.
	This document explains how to do that and what to expect in return.
	</p>

	<p>
	All security bugs in the Go distribution should be reported by email to
	<a href="mailto:security@golang.org">security@golang.org</a>.
	This mail is delivered to a small security team.
	Your email will be acknowledged within 24 hours, and you'll receive a more
	detailed response to your email within 72 hours indicating the next steps in
	handling your report.
	</p>

	<p>
	To ensure your report is not marked as spam, please include the word "vulnerability"
	anywhere in your email. Please use a descriptive subject line for your report email.
	</p>

	<p>
	After the initial reply to your report, the security team will endeavor to keep
	you informed of the progress being made towards a fix and full announcement.
	These updates will be sent at least every five days.
	In reality, this is more likely to be every 24-48 hours.
	</p>

	<p>
	If you have not received a reply to your email within 48 hours or you have not
	heard from the security team for the past five days please contact the Go
	security team directly:
	</p>

	<ul>
	<li>Primary security coordinator: <a href="mailto:filippo@golang.org">Filippo Valsorda</a>.</li>
	<li>Secondary coordinator: <a href="mailto:agl@golang.org">Adam Langley</a>.</li>
	<li>If you receive no response, mail <a href="mailto:golang-dev@googlegroups.com">golang-dev@googlegroups.com</a> or use the <a href="https://groups.google.com/forum/#!forum/golang-dev">golang-dev web interface</a>.</li>
	</ul>

	<p>
	Please note that golang-dev is a public discussion forum.
	When escalating on this list, please do not disclose the details of the issue.
	Simply state that you're trying to reach a member of the security team.
	</p>

	<h3>Flagging Existing Issues as Security-related</h3>

	<p>
	If you believe that an <a href="https://golang.org/issue">existing issue</a>
	is security-related, we ask that you send an email to
	<a href="mailto:security@golang.org">security@golang.org</a>.
	The email should include the issue ID and a short description of why it should
	be handled according to this security policy.
	</p>

	<h3>Disclosure Process</h3>

	<p>The Go project uses the following disclosure process:</p>

	<ol>
	<li>Once the security report is received it is assigned a primary handler.
	This person coordinates the fix and release process.</li>
	<li>The issue is confirmed and a list of affected software is determined.</li>
	<li>Code is audited to find any potential similar problems.</li>
	<li>If it is determined, in consultation with the submitter, that a CVE-ID is
	required, the primary handler obtains one via email to
	<a href="https://oss-security.openwall.org/wiki/mailing-lists/distros">oss-distros</a>.</li>
	<li>Fixes are prepared for the two most recent major releases and the head/master
	revision. These fixes are not yet committed to the public repository.</li>
	<li>A notification is sent to the
	<a href="https://groups.google.com/group/golang-announce">golang-announce</a>
	mailing list to give users time to prepare their systems for the update.</li>
	<li>Three working days following this notification, the fixes are applied to
	the <a href="https://go.googlesource.com/go">public repository</a> and a new
	Go release is issued.</li>
	<li>On the date that the fixes are applied, announcements are sent to
	<a href="https://groups.google.com/group/golang-announce">golang-announce</a>,
	<a href="https://groups.google.com/group/golang-dev">golang-dev</a>, and
	<a href="https://groups.google.com/group/golang-nuts">golang-nuts</a>.
	</ol>

	<p>
	This process can take some time, especially when coordination is required with
	maintainers of other projects. Every effort will be made to handle the bug in
	as timely a manner as possible, however it's important that we follow the
	process described above to ensure that disclosures are handled consistently.
	</p>

	<p>
	For security issues that include the assignment of a CVE-ID,
	the issue is listed publicly under the
	<a href="https://www.cvedetails.com/vulnerability-list/vendor_id-14185/Golang.html">"Golang" product on the CVEDetails website</a>
	as well as the
	<a href="https://web.nvd.nist.gov/view/vuln/search">National Vulnerability Disclosure site</a>.
	</p>

	<h3>Receiving Security Updates</h3>

	<p>
	The best way to receive security announcements is to subscribe to the
	<a href="https://groups.google.com/forum/#!forum/golang-announce">golang-announce</a>
	mailing list. Any messages pertaining to a security issue will be prefixed
	with <code>[security]</code>.
	</p>

	<h3>Comments on This Policy</h3>

	<p>
	If you have any suggestions to improve this policy, please send an email to
	<a href="mailto:golang-dev@golang.org">golang-dev@golang.org</a> for discussion.
	</p>

	<h3>PGP Key for <a href="mailto:security@golang.org">security@golang.org</a></h3>

	<p>
	We accept PGP-encrypted email, but the majority of the security team
	are not regular PGP users so it's somewhat inconvenient. Please only
	use PGP for critical security reports.
	</p>

	<pre>
	-----BEGIN PGP PUBLIC KEY BLOCK-----

	mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te
	+fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT
	J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L
	ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75
	8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3
	oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc
	7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF
	X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN
	JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk
	xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE
	0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB
	tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCTgQTAQoA
	OAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBGROHzjvGgTlE7xbTTpG0ZF5
	Wlg4BQJd8rfQAAoJEDpG0ZF5Wlg4198P/2YDcEwEqWBWjriLFXdTGOcVxQ7AC/mX
	Fe576zwgmrbqO00IaHOOqZZYXKd078FZyg2qQKILvfSAQB7EtLwfPEgv3Wca/Jb/
	ma2hNz+AveiWDVuF4yPx8qvFer/6Yzv9+anfpUP//qfo/7L3VSYKwNAcqqNGvBMh
	fLb7oWDSkdRmcu57c4WYv8i5BtxMRXs581r836bG3U0z0WQG8j64RpYp6sipqJnv
	09l3R5SXd7kkS26ntLU4fgTNJ6Eim7YoXsqLtVe4VZHGYz3D0yHnvCBpbJa2WpP2
	QT6TtFizvKtQlC0k1uo88VV8DyRdp2V6BO9cSNecvXZh81H0SjtD9MwdMnpX3shT
	LKu3L6wlJtb/EJVZg6+usJo0VunUdNTiBmy4FJrko7YYOSVHKKBA6dooufGNUSjw
	9Tieqh4jnzpg6+aIrNugZIrABH2G0GD/SvUSfjli0i+D1mqQSsMcLzE1BBcichpS
	htjv6fU8nI5XXmloUn1P2WBwziemsb7YcfBLNVeCxlAmoJn1hnOPjNzmKfVZk95E
	VJNvVB76JCh+S/0bAba5+nBZ1HRn/FAbs9vfUpp1sOFf25jX9bDAZvkqwgyPpNv/
	jONK0zNXRD5AfKdCA1nkMI70NNS5oBxPowp95eKyuw4hCINvfuPq5sLJa3cIMj3M
	MVO91QDs9eXxuQINBFXI1h0BEACXD0f/XJtCzgrdcoDWOggjXqu1r0pLt7Dvr5qB
	ejSN5JHAwRB8i07Fi9+Gajz7J2flNaxNuJ8ZTwvf4QFMxFHLNaFtoY7RaLPDsFNU
	nufklb6d0+txSmn+KVSToBRXFo7/z9H735Ulmmh6gsddiWgUY25fnwYsjLWNIG8u
	wuX8qLkg6se8PUYrpN+06XmPwg8LUtIGvAYk7zTfHvBR1A/+2wo39A9HymcGe2sS
	CtAVIj5DeqsK9UyZecGVi6aN84G3ykoyAH3+LH4dY3ymJA1CInEP5eMQzpfBSZCo
	hHvLkYg0paC6d0Ka1gjNWBj2nYGvpQ+tMmLXYt8q/mzZHo2fEUe/9p3b0Kk9N4sl
	GxKoV+oEv3r0EKmP+KxeZASbgW3OJmJ0BFejXYqIYCc8X2i2Ks0enj7yHA0Hexx/
	twjnfLydmK871zAjsGgKVjpkhpuMNwnGMr7bh6ajPeYnlIelmlAtJv2jwZsst9c6
	r7i7MRfYDfR+Gu2xBv/HQYzi/cRTVo/aaO6SzJhuCV21jri0PfnCoAD2ZWXlTH6D
	UehQG8vDSH6XPCHfvQ0nD/8hO8FBVS0MwH3qt8g/h8vmliXmmZHP6+y4nSJfObTm
	oGAp9Ko7tOj1JbFA91fz1Hi7T9dUCXDQCT1lx6rdb3q+x4RRNHdqhkIwg+LB9wNq
	rrStZQARAQABiQI2BBgBCgAgAhsMFiEEZE4fOO8aBOUTvFtNOkbRkXlaWDgFAl3y
	uFYACgkQOkbRkXlaWDiMgw//YvO2nZxWNSnQxqCEi8RXHV/3qsDDe8LloviFFV/M
	GSiGZBOhLJ0bFm9aKKPoye5mrZXBKvEVPu0h1zn43+lZruhARPiTu2AecQ7fstET
	PyXMZJ4mfLSFIaAumuH9dQEQJA9RRaFK8uzPRgAxVKyuNYS89psz/RvSeRM3B7Li
	m9waLs42+5xtltR5F6HKPhrgS/rrFHKMrNiDNMMG2FYu1TjonA9QnzAxDPixH3A1
	VNEj6tVqVK8wCMpci3YaXZJntX0H3oO6qloL8qIpSMVrIiD4IDBDK13Jn3OJ7veq
	iDn1mbGFYtfu8R+QV2xeDSJ6nEKfV3Mc3PFDbJMdzkOCdvExC8qsuUOqO4J6dRt7
	9NVptL0xZqlBjpF9fq9XCt7ZcQLDqbUF/rUs58yKSqEGrruXTx4cTLtwkTLcqJOw
	/CSgFtE8cvY51uupuEFzfmt8JLNTxsm2X2NlsZYxFJhamVrGFroa55nqgKe3tF7e
	AQBU641SZRYloqGgPK+4PB79vV4RyEDETOpD3PvpN2IafVWDacI4LXW0a4EKnPUj
	7JwRBmZxESda3OixSONv/VcuEOyGAZUppbLM4XYTtslRIqdQJFr7Vkza/VIoUqaY
	MkFIioHf2QndVwDXt3d0b0aAGaLeMRD1MFGtLNigEDD45nPeEpuGzXkUATpVWGiV
	bIs=
	=Nx85
	-----END PGP PUBLIC KEY BLOCK-----
	</pre>