Skip to content

Latest commit

 

History

History
45 lines (38 loc) · 1.48 KB

SECURITY.md

File metadata and controls

45 lines (38 loc) · 1.48 KB

Kisumu Lang Security Policy

Supported Versions

Version Supported
1.0.x
< 1.0

Reporting Vulnerabilities

Please do not report security issues publiclyUse GitHub's private reporting Security tab. Or use methods below.

  1. Email: [email protected] (PGP Key [0xABCD1234])
  2. Response Time: We acknowledge reports within 48 hours
  3. Disclosure: Patched vulnerabilities will be disclosed via GitHub advisories

Security Practices

For Developers

  • All code must pass: 
    make lint # Includes gosec and static analysis
  • Banned patterns:
    • Unsafe pointer arithmetic (unsafe package)
    • Shell command injection (e.g., unfiltered exec.Command input)

For Contributors

  1. Dependencies:

    • Audit third-party packages with: 
      go mod audit
    • Report suspicious dependencies immediately

  2. Code Reviews:

    • All PRs require security review from maintainers
    • Security-critical changes get 72-hour review period

Threat Model

Threat Mitigation
Code injection Input validation + AST sanitization
Memory corruption Bounds checking + no pointer arithmetic
Dependency attacks Pinned versions + automated audits