github.com/s1s1ty/go@v0.0.0-20180207192209-104445e3140f/doc/security.html

github.com/s1s1ty/go@v0.0.0-20180207192209-104445e3140f/doc/security.html (about)

     1  <!--{
     2  	"Title": "Go Security Policy",
     3  	"Path":  "/security",
     4  	"Template": true
     5  }-->
     6  
     7  <h2>Implementation</h2>
     8  
     9  <h3>Reporting a Security Bug</h3>
    10  
    11  <p>
    12  Please report to us any issues you find.
    13  This document explains how to do that and what to expect in return.
    14  </p>
    15  
    16  <p>
    17  All security bugs in the Go distribution should be reported by email to
    18  <a href="mailto:security@golang.org">security@golang.org</a>.
    19  This mail is delivered to a small security team.
    20  Your email will be acknowledged within 24 hours, and you'll receive a more
    21  detailed response to your email within 72 hours indicating the next steps in
    22  handling your report.
    23  For critical problems, you can encrypt your report using our PGP key (listed below).
    24  </p>
    25  
    26  <p>
    27  Please use a descriptive subject line for your report email.
    28  After the initial reply to your report, the security team will endeavor to keep
    29  you informed of the progress being made towards a fix and full announcement.
    30  These updates will be sent at least every five days.
    31  In reality, this is more likely to be every 24-48 hours.
    32  </p>
    33  
    34  <p>
    35  If you have not received a reply to your email within 48 hours or you have not
    36  heard from the security team for the past five days please contact the Go
    37  security team directly:
    38  </p>
    39  
    40  <ul>
    41  <li>Primary security coordinator: <a href="mailto:adg@golang.org">Andrew Gerrand</a>  (<a href="https://drive.google.com/a/google.com/file/d/0B42ZAZN5yFufRldybEVNandRN2c/view">public key</a>).</li>
    42  <li>Secondary coordinator: <a href="mailto:agl@golang.org">Adam Langley</a> (<a href="https://www.imperialviolet.org/key.asc">public key</a>).</li>
    43  <li>If you receive no response, mail <a href="mailto:golang-dev@googlegroups.com">golang-dev@googlegroups.com</a> or use the <a href="https://groups.google.com/forum/#!forum/golang-dev">golang-dev web interface</a>.</li>
    44  </ul>
    45  
    46  <p>
    47  Please note that golang-dev is a public discussion forum.
    48  When escalating on this list, please do not disclose the details of the issue.
    49  Simply state that you're trying to reach a member of the security team.
    50  </p>
    51  
    52  <h3>Flagging Existing Issues as Security-related</h3>
    53  
    54  <p>
    55  If you believe that an <a href="https://golang.org/issue">existing issue</a>
    56  is security-related, we ask that you send an email to
    57  <a href="mailto:security@golang.org">security@golang.org</a>.
    58  The email should include the issue ID and a short description of why it should
    59  be handled according to this security policy.
    60  </p>
    61  
    62  <h3>Disclosure Process</h3>
    63  
    64  <p>The Go project uses the following disclosure process:</p>
    65  
    66  <ol>
    67  <li>Once the security report is received it is assigned a primary handler.
    68  This person coordinates the fix and release process.</li>
    69  <li>The issue is confirmed and a list of affected software is determined.</li>
    70  <li>Code is audited to find any potential similar problems.</li>
    71  <li>If it is determined, in consultation with the submitter, that a CVE-ID is
    72  required, the primary handler obtains one via email to
    73  <a href="http://oss-security.openwall.org/wiki/mailing-lists/distros">oss-distros</a>.</li>
    74  <li>Fixes are prepared for the two most recent major releases and the head/master
    75  revision. These fixes are not yet committed to the public repository.</li>
    76  <li>A notification is sent to the
    77  <a href="https://groups.google.com/group/golang-announce">golang-announce</a>
    78  mailing list to give users time to prepare their systems for the update.</li>
    79  <li>Three working days following this notification, the fixes are applied to
    80  the <a href="https://go.googlesource.com/go">public repository</a> and a new
    81  Go release is issued.</li>
    82  <li>On the date that the fixes are applied, announcements are sent to
    83  <a href="https://groups.google.com/group/golang-announce">golang-announce</a>,
    84  <a href="https://groups.google.com/group/golang-dev">golang-dev</a>, and
    85  <a href="https://groups.google.com/group/golang-nuts">golang-nuts</a>.
    86  </ol>
    87  
    88  <p>
    89  This process can take some time, especially when coordination is required with
    90  maintainers of other projects. Every effort will be made to handle the bug in
    91  as timely a manner as possible, however it's important that we follow the
    92  process described above to ensure that disclosures are handled consistently.
    93  </p>
    94  
    95  <p>
    96  For security issues that include the assignment of a CVE-ID,
    97  the issue is listed publicly under the
    98  <a href="https://www.cvedetails.com/vulnerability-list/vendor_id-14185/Golang.html">"Golang" product on the CVEDetails website</a>
    99  as well as the
   100  <a href="https://web.nvd.nist.gov/view/vuln/search">National Vulnerability Disclosure site</a>.
   101  </p>
   102  
   103  <h3>Receiving Security Updates</h3>
   104  
   105  <p>
   106  The best way to receive security announcements is to subscribe to the
   107  <a href="https://groups.google.com/forum/#!forum/golang-announce">golang-announce</a>
   108  mailing list. Any messages pertaining to a security issue will be prefixed
   109  with <code>[security]</code>.
   110  </p>
   111  
   112  <h3>Comments on This Policy</h3>
   113  
   114  <p>
   115  If you have any suggestions to improve this policy, please send an email to
   116  <a href="mailto:golang-dev@golang.org">golang-dev@golang.org</a> for discussion.
   117  </p>
   118  
   119  <h3>PGP Key for <a href="mailto:security@golang.org">security@golang.org</a></h3>
   120  
   121  <p>
   122  We accept PGP-encrypted email, but the majority of the security team
   123  are not regular PGP users so it's somewhat inconvenient. Please only
   124  use PGP for critical security reports.
   125  </p>
   126  
   127  <pre>
   128  -----BEGIN PGP PUBLIC KEY BLOCK-----
   129  Comment: GPGTools - https://gpgtools.org
   130  
   131  mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te
   132  +fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT
   133  J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L
   134  ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75
   135  8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3
   136  oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc
   137  7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF
   138  X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN
   139  JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk
   140  xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE
   141  0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB
   142  tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCPQQTAQoA
   143  JwUCVcjWHQIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRA6RtGR
   144  eVpYOLnDD/9YVTd6DTwdJq6irVfM/ICPlPTXB0JLERqCI1Veptcp56eQoJ0XWGQp
   145  tkGlgbvmCzFo0B+65Te7YA4R3oyBCXd6JgyWQQPy5p60FHyuuCPVAReclSWyt9f2
   146  Yj/u4DjghKhELOvPiI96egcU3g9jrEEcPjm7JYkc9M2gVSNOnnJvcD7wpQJNCzon
   147  51eMZ1ZyfA5UCBTa0SaT9eXg5zwNlYQnB6ZF6TjXezkhLqlTsBuHxoNVf+9vCC0o
   148  ZKIM2ovptMx9eEguTDKWaQ7tero7Zs/q5fwk/MDzM/LGJ9aXy2RCtqBxv46vDS7G
   149  fCNq+aPD/wyFd6hxQkvkua6hgZwYT+cJWHYA2Yv0LO3BYOJdjfc+j2hjv+mC9lF0
   150  UpWhCVJv3hHoFaxnz62GdROzf2wXz6aR9Saj1rYSvqT9jC20VInxqMufXNN2sbpo
   151  Kyk6MTbAeepphQpfAWQv+ltWgBiEjuFxYdwv/vmw20996JV7O8nqkeCUW84B6su+
   152  Y3bbdP9o3DBtOT0j9LTB/FucmdNCNHoO+EnNBKJd6FoYTGLWi3Rq9DLx2V9tdJHo
   153  Bn67dymcl+iyp337HJNY+qS+KCgoqAWlxkzXRiXKb/yluhXdIkqhg4kL8JPAJvfS
   154  cs7Zn67Mx04ixJnRMYCDmxtD4xPsFMzM7g8m3PQp+nE7WhujM/ImM7kCDQRVyNYd
   155  ARAAlw9H/1ybQs4K3XKA1joII16rta9KS7ew76+agXo0jeSRwMEQfItOxYvfhmo8
   156  +ydn5TWsTbifGU8L3+EBTMRRyzWhbaGO0Wizw7BTVJ7n5JW+ndPrcUpp/ilUk6AU
   157  VxaO/8/R+9+VJZpoeoLHXYloFGNuX58GLIy1jSBvLsLl/Ki5IOrHvD1GK6TftOl5
   158  j8IPC1LSBrwGJO803x7wUdQP/tsKN/QPR8pnBntrEgrQFSI+Q3qrCvVMmXnBlYum
   159  jfOBt8pKMgB9/ix+HWN8piQNQiJxD+XjEM6XwUmQqIR7y5GINKWgundCmtYIzVgY
   160  9p2Br6UPrTJi12LfKv5s2R6NnxFHv/ad29CpPTeLJRsSqFfqBL969BCpj/isXmQE
   161  m4FtziZidARXo12KiGAnPF9otirNHp4+8hwNB3scf7cI53y8nZivO9cwI7BoClY6
   162  ZIabjDcJxjK+24emoz3mJ5SHpZpQLSb9o8GbLLfXOq+4uzEX2A30fhrtsQb/x0GM
   163  4v3EU1aP2mjuksyYbgldtY64tD35wqAA9mVl5Ux+g1HoUBvLw0h+lzwh370NJw//
   164  ITvBQVUtDMB96rfIP4fL5pYl5pmRz+vsuJ0iXzm05qBgKfSqO7To9SWxQPdX89R4
   165  u0/XVAlw0Ak9Zceq3W96vseEUTR3aoZCMIPiwfcDaq60rWUAEQEAAYkCJQQYAQoA
   166  DwUCVcjWHQIbDAUJB4YfgAAKCRA6RtGReVpYOEg/EADZcIYw4q1jAbDkDy3LQG07
   167  AR8QmLp/RDp72RKbCSIYyvyXEnmrhUg98lUG676qTH+Y7dlEX107dLhFuKEYyV8D
   168  ZalrFQO/3WpLWdIAmWrj/wq14qii1rgmy96Nh3EqG3CS50HEMGkW1llRx2rgBvGl
   169  pgoTcwOfT+h8s0HlZdIS/cv2wXqwPgMWr1PIk3as1fu1OH8n/BjeGQQnNJEaoBV7
   170  El2C/hz3oqf2uYQ1QvpU23F1NrstekxukO8o2Y/fqsgMJqAiNJApUCl/dNhK+W57
   171  iicjvPirUQk8MUVEHXKhWIzYxon6aEUTx+xyNMBpRJIZlJ61FxtnZhoPiAFtXVPb
   172  +95BRJA9npidlVFjqz9QDK/4NSnJ3KaERR9tTDcvq4zqT22Z1Ai5gWQKqogTz5Mk
   173  F+nZwVizW0yi33id9qDpAuApp8o6AiyH5Ql1Bo23bvqS2lMrXPIS/QmPPsA76CBs
   174  lYjQwwz8abUD1pPdzyYtMKZUMwhicSFOHFDM4oQN16k2KJuntuih8BKVDCzIOq+E
   175  KHyeh1BqWplUtFh1ckxZlXW9p9F7TsWjtfcKaY8hkX0Cr4uVjwAFIjLcAxk67ROe
   176  huEb3Gt+lwJz6aNnZUU87ukMAxRVR2LL0btdxgc6z8spl66GXro/LUkXmAdyOEMV
   177  UDrmjf9pr7o00hC7lCHFzw==
   178  =WE0r
   179  -----END PGP PUBLIC KEY BLOCK-----
   180  </pre>