Security Policy

This policy outlines the commitment and practices of the go-openapi maintainers regarding security.

It applies to all repositories in the go-openapi organization.

Vulnerability checks in place

Our repositories use automated vulnerability scans, at every merged commit and at least once a week.

We use:

GitHub CodeQL
trivy
govulncheck

Reports are centralized in github security reports and visible only to the maintainers.

Reporting a vulnerability

If you become aware of a security vulnerability that affects any go-openapi repository, please report it privately to the maintainers rather than opening a publicly visible GitHub issue.

Please follow the instructions provided by github to Privately report a security vulnerability.

TL;DR

On Github, navigate to the affected project’s “Security” tab then click on “Report a vulnerability”.