1
0

security.html 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180
  1. <!--{
  2. "Title": "Go Security Policy",
  3. "Path": "/security",
  4. "Template": true
  5. }-->
  6. <h2>Implementation</h2>
  7. <h3>Reporting a Security Bug</h3>
  8. <p>
  9. Please report to us any issues you find.
  10. This document explains how to do that and what to expect in return.
  11. </p>
  12. <p>
  13. All security bugs in the Go distribution should be reported by email to
  14. <a href="mailto:security@golang.org">security@golang.org</a>.
  15. This mail is delivered to a small security team.
  16. Your email will be acknowledged within 24 hours, and you'll receive a more
  17. detailed response to your email within 72 hours indicating the next steps in
  18. handling your report.
  19. For critical problems, you can encrypt your report using our PGP key (listed below).
  20. </p>
  21. <p>
  22. Please use a descriptive subject line for your report email.
  23. After the initial reply to your report, the security team will endeavor to keep
  24. you informed of the progress being made towards a fix and full announcement.
  25. These updates will be sent at least every five days.
  26. In reality, this is more likely to be every 24-48 hours.
  27. </p>
  28. <p>
  29. If you have not received a reply to your email within 48 hours or you have not
  30. heard from the security team for the past five days please contact the Go
  31. security team directly:
  32. </p>
  33. <ul>
  34. <li>Primary security coordinator: <a href="mailto:adg@golang.org">Andrew Gerrand</a> (<a href="https://drive.google.com/a/google.com/file/d/0B42ZAZN5yFufRldybEVNandRN2c/view">public key</a>).</li>
  35. <li>Secondary coordinator: <a href="mailto:agl@golang.org">Adam Langley</a> (<a href="https://www.imperialviolet.org/key.asc">public key</a>).</li>
  36. <li>If you receive no response, mail <a href="mailto:golang-dev@googlegroups.com">golang-dev@googlegroups.com</a> or use the <a href="https://groups.google.com/forum/#!forum/golang-dev">golang-dev web interface</a>.</li>
  37. </ul>
  38. <p>
  39. Please note that golang-dev is a public discussion forum.
  40. When escalating on this list, please do not disclose the details of the issue.
  41. Simply state that you're trying to reach a member of the security team.
  42. </p>
  43. <h3>Flagging Existing Issues as Security-related</h3>
  44. <p>
  45. If you believe that an <a href="https://golang.org/issue">existing issue</a>
  46. is security-related, we ask that you send an email to
  47. <a href="mailto:security@golang.org">security@golang.org</a>.
  48. The email should include the issue ID and a short description of why it should
  49. be handled according to this security policy.
  50. </p>
  51. <h3>Disclosure Process</h3>
  52. <p>The Go project uses the following disclosure process:</p>
  53. <ol>
  54. <li>Once the security report is received it is assigned a primary handler.
  55. This person coordinates the fix and release process.</li>
  56. <li>The issue is confirmed and a list of affected software is determined.</li>
  57. <li>Code is audited to find any potential similar problems.</li>
  58. <li>If it is determined, in consultation with the submitter, that a CVE-ID is
  59. required, the primary handler obtains one via email to
  60. <a href="http://oss-security.openwall.org/wiki/mailing-lists/distros">oss-distros</a>.</li>
  61. <li>Fixes are prepared for the two most recent major releases and the head/master
  62. revision. These fixes are not yet committed to the public repository.</li>
  63. <li>A notification is sent to the
  64. <a href="https://groups.google.com/group/golang-announce">golang-announce</a>
  65. mailing list to give users time to prepare their systems for the update.</li>
  66. <li>Three working days following this notification, the fixes are applied to
  67. the <a href="https://go.googlesource.com/go">public repository</a> and a new
  68. Go release is issued.</li>
  69. <li>On the date that the fixes are applied, announcements are sent to
  70. <a href="https://groups.google.com/group/golang-announce">golang-announce</a>,
  71. <a href="https://groups.google.com/group/golang-dev">golang-dev</a>, and
  72. <a href="https://groups.google.com/group/golang-nuts">golang-nuts</a>.
  73. </ol>
  74. <p>
  75. This process can take some time, especially when coordination is required with
  76. maintainers of other projects. Every effort will be made to handle the bug in
  77. as timely a manner as possible, however it's important that we follow the
  78. process described above to ensure that disclosures are handled consistently.
  79. </p>
  80. <p>
  81. For security issues that include the assignment of a CVE-ID,
  82. the issue is listed publicly under the
  83. <a href="https://www.cvedetails.com/vulnerability-list/vendor_id-14185/Golang.html">"Golang" product on the CVEDetails website</a>
  84. as well as the
  85. <a href="https://web.nvd.nist.gov/view/vuln/search">National Vulnerability Disclosure site</a>.
  86. </p>
  87. <h3>Receiving Security Updates</h3>
  88. <p>
  89. The best way to receive security announcements is to subscribe to the
  90. <a href="https://groups.google.com/forum/#!forum/golang-announce">golang-announce</a>
  91. mailing list. Any messages pertaining to a security issue will be prefixed
  92. with <code>[security]</code>.
  93. </p>
  94. <h3>Comments on This Policy</h3>
  95. <p>
  96. If you have any suggestions to improve this policy, please send an email to
  97. <a href="mailto:golang-dev@golang.org">golang-dev@golang.org</a> for discussion.
  98. </p>
  99. <h3>PGP Key for <a href="mailto:security@golang.org">security@golang.org</a></h3>
  100. <p>
  101. We accept PGP-encrypted email, but the majority of the security team
  102. are not regular PGP users so it's somewhat inconvenient. Please only
  103. use PGP for critical security reports.
  104. </p>
  105. <pre>
  106. -----BEGIN PGP PUBLIC KEY BLOCK-----
  107. Comment: GPGTools - https://gpgtools.org
  108. mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te
  109. +fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT
  110. J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L
  111. ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75
  112. 8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3
  113. oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc
  114. 7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF
  115. X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN
  116. JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk
  117. xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE
  118. 0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB
  119. tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCPQQTAQoA
  120. JwUCVcjWHQIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRA6RtGR
  121. eVpYOLnDD/9YVTd6DTwdJq6irVfM/ICPlPTXB0JLERqCI1Veptcp56eQoJ0XWGQp
  122. tkGlgbvmCzFo0B+65Te7YA4R3oyBCXd6JgyWQQPy5p60FHyuuCPVAReclSWyt9f2
  123. Yj/u4DjghKhELOvPiI96egcU3g9jrEEcPjm7JYkc9M2gVSNOnnJvcD7wpQJNCzon
  124. 51eMZ1ZyfA5UCBTa0SaT9eXg5zwNlYQnB6ZF6TjXezkhLqlTsBuHxoNVf+9vCC0o
  125. ZKIM2ovptMx9eEguTDKWaQ7tero7Zs/q5fwk/MDzM/LGJ9aXy2RCtqBxv46vDS7G
  126. fCNq+aPD/wyFd6hxQkvkua6hgZwYT+cJWHYA2Yv0LO3BYOJdjfc+j2hjv+mC9lF0
  127. UpWhCVJv3hHoFaxnz62GdROzf2wXz6aR9Saj1rYSvqT9jC20VInxqMufXNN2sbpo
  128. Kyk6MTbAeepphQpfAWQv+ltWgBiEjuFxYdwv/vmw20996JV7O8nqkeCUW84B6su+
  129. Y3bbdP9o3DBtOT0j9LTB/FucmdNCNHoO+EnNBKJd6FoYTGLWi3Rq9DLx2V9tdJHo
  130. Bn67dymcl+iyp337HJNY+qS+KCgoqAWlxkzXRiXKb/yluhXdIkqhg4kL8JPAJvfS
  131. cs7Zn67Mx04ixJnRMYCDmxtD4xPsFMzM7g8m3PQp+nE7WhujM/ImM7kCDQRVyNYd
  132. ARAAlw9H/1ybQs4K3XKA1joII16rta9KS7ew76+agXo0jeSRwMEQfItOxYvfhmo8
  133. +ydn5TWsTbifGU8L3+EBTMRRyzWhbaGO0Wizw7BTVJ7n5JW+ndPrcUpp/ilUk6AU
  134. VxaO/8/R+9+VJZpoeoLHXYloFGNuX58GLIy1jSBvLsLl/Ki5IOrHvD1GK6TftOl5
  135. j8IPC1LSBrwGJO803x7wUdQP/tsKN/QPR8pnBntrEgrQFSI+Q3qrCvVMmXnBlYum
  136. jfOBt8pKMgB9/ix+HWN8piQNQiJxD+XjEM6XwUmQqIR7y5GINKWgundCmtYIzVgY
  137. 9p2Br6UPrTJi12LfKv5s2R6NnxFHv/ad29CpPTeLJRsSqFfqBL969BCpj/isXmQE
  138. m4FtziZidARXo12KiGAnPF9otirNHp4+8hwNB3scf7cI53y8nZivO9cwI7BoClY6
  139. ZIabjDcJxjK+24emoz3mJ5SHpZpQLSb9o8GbLLfXOq+4uzEX2A30fhrtsQb/x0GM
  140. 4v3EU1aP2mjuksyYbgldtY64tD35wqAA9mVl5Ux+g1HoUBvLw0h+lzwh370NJw//
  141. ITvBQVUtDMB96rfIP4fL5pYl5pmRz+vsuJ0iXzm05qBgKfSqO7To9SWxQPdX89R4
  142. u0/XVAlw0Ak9Zceq3W96vseEUTR3aoZCMIPiwfcDaq60rWUAEQEAAYkCJQQYAQoA
  143. DwUCVcjWHQIbDAUJB4YfgAAKCRA6RtGReVpYOEg/EADZcIYw4q1jAbDkDy3LQG07
  144. AR8QmLp/RDp72RKbCSIYyvyXEnmrhUg98lUG676qTH+Y7dlEX107dLhFuKEYyV8D
  145. ZalrFQO/3WpLWdIAmWrj/wq14qii1rgmy96Nh3EqG3CS50HEMGkW1llRx2rgBvGl
  146. pgoTcwOfT+h8s0HlZdIS/cv2wXqwPgMWr1PIk3as1fu1OH8n/BjeGQQnNJEaoBV7
  147. El2C/hz3oqf2uYQ1QvpU23F1NrstekxukO8o2Y/fqsgMJqAiNJApUCl/dNhK+W57
  148. iicjvPirUQk8MUVEHXKhWIzYxon6aEUTx+xyNMBpRJIZlJ61FxtnZhoPiAFtXVPb
  149. +95BRJA9npidlVFjqz9QDK/4NSnJ3KaERR9tTDcvq4zqT22Z1Ai5gWQKqogTz5Mk
  150. F+nZwVizW0yi33id9qDpAuApp8o6AiyH5Ql1Bo23bvqS2lMrXPIS/QmPPsA76CBs
  151. lYjQwwz8abUD1pPdzyYtMKZUMwhicSFOHFDM4oQN16k2KJuntuih8BKVDCzIOq+E
  152. KHyeh1BqWplUtFh1ckxZlXW9p9F7TsWjtfcKaY8hkX0Cr4uVjwAFIjLcAxk67ROe
  153. huEb3Gt+lwJz6aNnZUU87ukMAxRVR2LL0btdxgc6z8spl66GXro/LUkXmAdyOEMV
  154. UDrmjf9pr7o00hC7lCHFzw==
  155. =WE0r
  156. -----END PGP PUBLIC KEY BLOCK-----
  157. </pre>