forked from toolshed/abra
39 lines
1.7 KiB
Markdown
39 lines
1.7 KiB
Markdown
# go-git Security Policy
|
||
|
||
The purpose of this security policy is to outline `go-git`'s process
|
||
for reporting, handling and disclosing security sensitive information.
|
||
|
||
## Supported Versions
|
||
|
||
The project follows a version support policy where only the latest minor
|
||
release is actively supported. Therefore, only issues that impact the latest
|
||
minor release will be fixed. Users are encouraged to upgrade to the latest
|
||
minor/patch release to benefit from the most up-to-date features, bug fixes,
|
||
and security enhancements.
|
||
|
||
The supported versions policy applies to both the `go-git` library and its
|
||
associated repositories within the `go-git` org.
|
||
|
||
## Reporting Security Issues
|
||
|
||
Please report any security vulnerabilities or potential weaknesses in `go-git`
|
||
privately via go-git-security@googlegroups.com. Do not publicly disclose the
|
||
details of the vulnerability until a fix has been implemented and released.
|
||
|
||
During the process the project maintainers will investigate the report, so please
|
||
provide detailed information, including steps to reproduce, affected versions, and any mitigations if known.
|
||
|
||
The project maintainers will acknowledge the receipt of the report and work with
|
||
the reporter to validate and address the issue.
|
||
|
||
Please note that `go-git` does not have any bounty programs, and therefore do
|
||
not provide financial compensation for disclosures.
|
||
|
||
## Security Disclosure Process
|
||
|
||
The project maintainers will make every effort to promptly address security issues.
|
||
|
||
Once a security vulnerability is fixed, a security advisory will be published to notify users and provide appropriate mitigation measures.
|
||
|
||
All `go-git` advisories can be found at https://github.com/go-git/go-git/security/advisories.
|