e071084ebe
govulncheck / govulncheck (push) Waiting to run
Harness (E2E) / Harnesses (mock LLM) (push) Waiting to run
Harness (E2E) / Provider harnesses (live LLM conformance) (push) Waiting to run
Lint / golangci-lint (push) Waiting to run
Run Tests / Unit Tests (push) Waiting to run
Run Tests / Etcd Integration Tests (push) Waiting to run
179 lines
4.3 KiB
Markdown
179 lines
4.3 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
We actively support the following versions of go-micro:
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| 5.x | :white_check_mark: |
|
|
| 4.x | :x: |
|
|
| 3.x | :x: |
|
|
| < 3.0 | :x: |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Please do not report security vulnerabilities through public GitHub issues.**
|
|
|
|
### How to Report
|
|
|
|
Use GitHub's private security advisory feature:
|
|
https://github.com/micro/go-micro/security/advisories/new
|
|
|
|
This keeps vulnerability reports private, ties follow-up to the affected repository, and avoids relying on project email routing.
|
|
|
|
### What to Include
|
|
|
|
Please include as much of the following information as possible:
|
|
|
|
- Type of vulnerability (e.g., RCE, XSS, SQL injection, etc.)
|
|
- Full paths of source file(s) related to the vulnerability
|
|
- Location of the affected source code (tag/branch/commit or direct URL)
|
|
- Step-by-step instructions to reproduce the issue
|
|
- Proof-of-concept or exploit code (if possible)
|
|
- Impact of the issue, including how an attacker might exploit it
|
|
|
|
### Response Timeline
|
|
|
|
- **Acknowledgment**: Within 48 hours
|
|
- **Initial Assessment**: Within 5 business days
|
|
- **Fix Timeline**: Depends on severity
|
|
- Critical: 7 days
|
|
- High: 14 days
|
|
- Medium: 30 days
|
|
- Low: Next release cycle
|
|
|
|
### Disclosure Policy
|
|
|
|
- We follow **coordinated disclosure**
|
|
- We'll work with you to understand and fix the issue
|
|
- We'll credit you in the security advisory (unless you prefer to remain anonymous)
|
|
- Please give us reasonable time to fix before public disclosure
|
|
- We'll publish a security advisory on GitHub when the fix is released
|
|
|
|
## Security Best Practices
|
|
|
|
When using go-micro in production:
|
|
|
|
### TLS/Transport Security
|
|
|
|
```go
|
|
import "go-micro.dev/v5/transport"
|
|
|
|
// Enable TLS verification (recommended)
|
|
os.Setenv("MICRO_TLS_SECURE", "true")
|
|
|
|
// Or use SecureConfig explicitly
|
|
tlsConfig := transport.SecureConfig()
|
|
```
|
|
|
|
See [TLS Security Update](internal/website/docs/TLS_SECURITY_UPDATE.md) for details.
|
|
|
|
### Authentication
|
|
|
|
```go
|
|
import "go-micro.dev/v5/auth"
|
|
|
|
// Use JWT authentication
|
|
service := micro.NewService(
|
|
micro.Auth(auth.NewAuth()),
|
|
)
|
|
```
|
|
|
|
### Input Validation
|
|
|
|
Always validate and sanitize inputs in your handlers:
|
|
|
|
```go
|
|
func (h *Handler) Create(ctx context.Context, req *Request, rsp *Response) error {
|
|
// Validate input
|
|
if req.Name == "" {
|
|
return errors.BadRequest("handler.create", "name is required")
|
|
}
|
|
|
|
// Sanitize and process
|
|
// ...
|
|
}
|
|
```
|
|
|
|
### Rate Limiting
|
|
|
|
Implement rate limiting for public-facing services:
|
|
|
|
```go
|
|
import "go-micro.dev/v5/client"
|
|
|
|
// Client-side rate limiting
|
|
client.NewClient(
|
|
client.RequestTimeout(time.Second * 5),
|
|
client.Retries(3),
|
|
)
|
|
```
|
|
|
|
### Secrets Management
|
|
|
|
Never commit secrets to version control:
|
|
|
|
```go
|
|
// Good: Use environment variables
|
|
apiKey := os.Getenv("API_KEY")
|
|
|
|
// Better: Use a secrets manager
|
|
import "github.com/hashicorp/vault/api"
|
|
```
|
|
|
|
### Dependency Security
|
|
|
|
Regularly update dependencies:
|
|
|
|
```bash
|
|
# Check for vulnerabilities
|
|
go list -json -m all | nancy sleuth
|
|
|
|
# Update dependencies
|
|
go get -u ./...
|
|
go mod tidy
|
|
```
|
|
|
|
## Known Security Considerations
|
|
|
|
### Reflection Usage
|
|
|
|
go-micro uses reflection for automatic handler registration. While this is a deliberate design choice for developer productivity, be aware:
|
|
|
|
- Type safety is enforced at runtime, not compile time
|
|
- Malformed requests won't crash services (errors are returned)
|
|
- See [Performance Considerations](internal/website/docs/performance.md)
|
|
|
|
### TLS Certificate Verification
|
|
|
|
**Default behavior in v5**: TLS certificate verification is **disabled** for backward compatibility.
|
|
|
|
**Production recommendation**: Enable secure mode:
|
|
|
|
```bash
|
|
export MICRO_TLS_SECURE=true
|
|
```
|
|
|
|
This will be the default in v6.
|
|
|
|
## Security Updates
|
|
|
|
Security updates are published as:
|
|
- GitHub Security Advisories
|
|
- Release notes with `[SECURITY]` prefix
|
|
- CVE entries for critical issues
|
|
|
|
Subscribe to releases: https://github.com/micro/go-micro/releases
|
|
|
|
## Bug Bounty
|
|
|
|
We currently do not offer a bug bounty program, but we greatly appreciate responsible disclosure and will publicly credit researchers who report valid security issues.
|
|
|
|
## Questions?
|
|
|
|
For security questions that are not vulnerabilities, please:
|
|
- Open a discussion: https://github.com/micro/go-micro/discussions
|
|
- Join Discord: https://discord.gg/G8Gk5j3uXr
|
|
|