|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Reporting a Vulnerability |
| 4 | + |
| 5 | +The `cobra` maintainers take security issues seriously and |
| 6 | +we appreciate your efforts to _**responsibly**_ disclose your findings. |
| 7 | +We will make every effort to swiftly respond and address concerns. |
| 8 | + |
| 9 | +To report a security vulnerability: |
| 10 | + |
| 11 | +1. **DO NOT** create a public GitHub issue for the vulnerability! |
| 12 | +2. **DO NOT** create a public GitHub Pull Request with a fix for the vulnerability! |
| 13 | +3. Send an email to `[email protected]`. |
| 14 | +4. Include the following details in your report: |
| 15 | + - Description of the vulnerability |
| 16 | + - Steps to reproduce |
| 17 | + - Potential impact of the vulnerability (to your downstream project, to the Go ecosystem, etc.) |
| 18 | + - Any potential mitigations you've already identified |
| 19 | +5. Allow up to 7 days for an initial response. |
| 20 | + You should receive an acknowledgment of your report and an estimated timeline for a fix. |
| 21 | +6. (Optional) If you have a fix and would like to contribute your patch, please work |
| 22 | + directly with the maintainers via `[email protected]` to |
| 23 | + coordinate pushing the patch to GitHub, cutting a new release, and disclosing the change. |
| 24 | + |
| 25 | +## Response Process |
| 26 | + |
| 27 | +When a security vulnerability report is received, the `cobra` maintainers will: |
| 28 | + |
| 29 | +1. Confirm receipt of the vulnerability report within 7 days. |
| 30 | +2. Assess the report to determine if it constitutes a security vulnerability. |
| 31 | +3. If confirmed, assign the vulnerability a severity level and create a timeline for addressing it. |
| 32 | +4. Develop and test a fix. |
| 33 | +5. Patch the vulnerability and make a new GitHub release: the maintainers will coordinate disclosure with the reporter. |
| 34 | +6. Create a new GitHub Security Advisory to inform the broader Go ecosystem |
| 35 | + |
| 36 | +## Disclosure Policy |
| 37 | + |
| 38 | +The `cobra` maintainers follow a coordinated disclosure process: |
| 39 | + |
| 40 | +1. Security vulnerabilities will be addressed as quickly as possible. |
| 41 | +2. A CVE (Common Vulnerabilities and Exposures) identifier will be requested for significant vulnerabilities |
| 42 | + that are within `cobra` itself. |
| 43 | +3. Once a fix is ready, the maintainers will: |
| 44 | + - Release a new version containing the fix. |
| 45 | + - Update the security advisory with details about the vulnerability. |
| 46 | + - Credit the reporter (unless they wish to remain anonymous). |
| 47 | + - Credit the fixer (unless they wish to remain anonymous, this may be the same as the reporter). |
| 48 | + - Announce the vulnerability through appropriate channels |
| 49 | + (GitHub Security Advisory, mailing lists, GitHub Releases, etc.) |
| 50 | + |
| 51 | +## Supported Versions |
| 52 | + |
| 53 | +Security fixes will typically only be released for the most recent major release. |
| 54 | + |
| 55 | +## Upstream Security Issues |
| 56 | + |
| 57 | +`cobra` generally will not accept vulnerability reports that originate in upstream |
| 58 | +dependencies. I.e., if there is a problem in Go code that `cobra` depends on, |
| 59 | +it is best to engage that project's maintainers and owners. |
| 60 | + |
| 61 | +This security policy primarily pertains only to `cobra` itself but if you believe you've |
| 62 | +identified a problem that originates in an upstream dependency and is being widely |
| 63 | +distributed by `cobra`, please follow the disclosure procedure above: the `cobra` |
| 64 | +maintainers will work with you to determine the severity and ecosystem impact. |
| 65 | + |
| 66 | +## Security Updates and CVEs |
| 67 | + |
| 68 | +Information about known security vulnerabilities and CVEs affecting `cobra` will |
| 69 | +be published as GitHub Security Advisories at |
| 70 | +https://github.com/spf13/cobra/security/advisories. |
| 71 | + |
| 72 | +All users are encouraged to watch the repository and upgrade promptly when |
| 73 | +security releases are published. |
| 74 | + |
| 75 | +## `cobra` Security Best Practices for Users |
| 76 | + |
| 77 | +When using `cobra` in your CLIs, the `cobra` maintainers recommend the following: |
| 78 | + |
| 79 | +1. Always use the latest version of `cobra`. |
| 80 | +2. [Use Go modules](https://go.dev/blog/using-go-modules) for dependency management. |
| 81 | +3. Always use the latest possible version of Go. |
| 82 | + |
| 83 | +## Security Best Practices for Contributors |
| 84 | + |
| 85 | +When contributing to `cobra`: |
| 86 | + |
| 87 | +1. Be mindful of security implications when adding new features or modifying existing ones. |
| 88 | +2. Be aware of `cobra`'s extremely large reach: it is used in nearly every Go CLI |
| 89 | + (like Kubernetes, Docker, Prometheus, etc. etc.) |
| 90 | +3. Write tests that explicitly cover edge cases and potential issues. |
| 91 | +4. If you discover a security issue while working on `cobra`, please report it |
| 92 | + following the process above rather than opening a public pull request or issue that |
| 93 | + addresses the vulnerability. |
| 94 | +5. Take personal sec-ops seriously and secure your GitHub account: use [two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa), |
| 95 | + [sign your commits with a GPG or SSH key](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification), |
| 96 | + etc. |
| 97 | + |
| 98 | +## Acknowledgments |
| 99 | + |
| 100 | +The `cobra` maintainers would like to thank all security researchers and |
| 101 | +community members who help keep cobra, its users, and the entire Go ecosystem secure through responsible disclosures!! |
| 102 | + |
| 103 | +--- |
| 104 | + |
| 105 | +*This security policy is inspired by the [Open Web Application Security Project (OWASP)](https://owasp.org/) guidelines and security best practices.* |
0 commit comments