We currently only support the latest version of the project.
| Version | Supported |
|---|---|
| latest | ✅ |
- Static Analysis: gosec runs on every PR and push to main
- Vulnerability Scanning: govulncheck checks for known Go vulnerabilities
- Fuzz Testing: ClusterFuzzLite continuously fuzzes codec and store operations
- Code Scanning: GitHub CodeQL analysis on every PR
- Dependency Pinning: All CI actions and tools are pinned by hash
- Dependency Updates: Dependabot monitors for outdated and vulnerable dependencies
We use GitHub's Private Vulnerability Reporting.
Please do not open a public issue for security bugs. Instead:
- Go to the Security tab of this repository.
- Click on Advisories on the left sidebar.
- Click Report a vulnerability.
This allows you to share the details privately with the maintainers.
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix or mitigation: Depends on severity, targeting 30 days for critical issues