| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not report security issues publicly ❗ Use GitHub's private reporting Security tab. Or use methods below.
- Email: kh3rld@duck.com (PGP Key [0xABCD1234])
- Response Time: We acknowledge reports within 48 hours
- Disclosure: Patched vulnerabilities will be disclosed via GitHub advisories
- All code must pass:
make lint # Includes gosec and static analysis - Banned patterns:
- Unsafe pointer arithmetic (
unsafepackage) - Shell command injection (e.g., unfiltered
exec.Commandinput)
- Unsafe pointer arithmetic (
-
Dependencies:
- Audit third-party packages with:
go mod audit
- Report suspicious dependencies immediately
- Audit third-party packages with:
-
Code Reviews:
- All PRs require security review from maintainers
- Security-critical changes get 72-hour review period
| Threat | Mitigation |
|---|---|
| Code injection | Input validation + AST sanitization |
| Memory corruption | Bounds checking + no pointer arithmetic |
| Dependency attacks | Pinned versions + automated audits |