diff options
| author | Dmitri Shuralyov <dmitshur@golang.org> | 2019-12-13 11:23:09 -0500 |
|---|---|---|
| committer | Dmitri Shuralyov <dmitshur@golang.org> | 2019-12-16 20:38:31 +0000 |
| commit | f7f9866f34111b1e5d6c67e7af4de64ecb685f9e (patch) | |
| tree | 9e8617527ee3a98ac5fa3ec9c1969a9433a424b6 | |
| parent | ae2bf169f6282a2715a3c0faf194910278044b03 (diff) | |
| download | go-f7f9866f34111b1e5d6c67e7af4de64ecb685f9e.tar.gz go-f7f9866f34111b1e5d6c67e7af4de64ecb685f9e.zip | |
doc: remove Go Security Policy page (moved to x/website)
This page has moved to the x/website repo in CL 211300 (commit
golang/website@3c8b7f99cadaa000e642595d0fabcd9ac496f335).
Remove the old copy in this repo since it's no longer used.
Updates #29206
Change-Id: I8b3396d9e42d1e7262a8cde9577962d33b215836
Reviewed-on: https://go-review.googlesource.com/c/go/+/211301
Reviewed-by: Filippo Valsorda <filippo@golang.org>
| -rw-r--r-- | doc/security.html | 183 |
1 files changed, 0 insertions, 183 deletions
diff --git a/doc/security.html b/doc/security.html deleted file mode 100644 index 5f6ff23a9f..0000000000 --- a/doc/security.html +++ /dev/null @@ -1,183 +0,0 @@ -<!--{ - "Title": "Go Security Policy", - "Path": "/security", - "Template": true -}--> - -<h2>Implementation</h2> - -<h3>Reporting a Security Bug</h3> - -<p> -Please report to us any issues you find. -This document explains how to do that and what to expect in return. -</p> - -<p> -All security bugs in the Go distribution should be reported by email to -<a href="mailto:security@golang.org">security@golang.org</a>. -This mail is delivered to a small security team. -Your email will be acknowledged within 24 hours, and you'll receive a more -detailed response to your email within 72 hours indicating the next steps in -handling your report. -</p> - -<p> -To ensure your report is not marked as spam, please include the word "vulnerability" -anywhere in your email. Please use a descriptive subject line for your report email. -</p> - -<p> -After the initial reply to your report, the security team will endeavor to keep -you informed of the progress being made towards a fix and full announcement. -These updates will be sent at least every five days. -In reality, this is more likely to be every 24-48 hours. -</p> - -<p> -If you have not received a reply to your email within 48 hours or you have not -heard from the security team for the past five days please contact the Go -security team directly: -</p> - -<ul> -<li>Primary security coordinator: <a href="mailto:filippo@golang.org">Filippo Valsorda</a>.</li> -<li>Secondary coordinator: <a href="mailto:agl@golang.org">Adam Langley</a>.</li> -<li>If you receive no response, mail <a href="mailto:golang-dev@googlegroups.com">golang-dev@googlegroups.com</a> or use the <a href="https://groups.google.com/forum/#!forum/golang-dev">golang-dev web interface</a>.</li> -</ul> - -<p> -Please note that golang-dev is a public discussion forum. -When escalating on this list, please do not disclose the details of the issue. -Simply state that you're trying to reach a member of the security team. -</p> - -<h3>Flagging Existing Issues as Security-related</h3> - -<p> -If you believe that an <a href="https://golang.org/issue">existing issue</a> -is security-related, we ask that you send an email to -<a href="mailto:security@golang.org">security@golang.org</a>. -The email should include the issue ID and a short description of why it should -be handled according to this security policy. -</p> - -<h3>Disclosure Process</h3> - -<p>The Go project uses the following disclosure process:</p> - -<ol> -<li>Once the security report is received it is assigned a primary handler. -This person coordinates the fix and release process.</li> -<li>The issue is confirmed and a list of affected software is determined.</li> -<li>Code is audited to find any potential similar problems.</li> -<li>If it is determined, in consultation with the submitter, that a CVE-ID is -required, the primary handler obtains one via email to -<a href="https://oss-security.openwall.org/wiki/mailing-lists/distros">oss-distros</a>.</li> -<li>Fixes are prepared for the two most recent major releases and the head/master -revision. These fixes are not yet committed to the public repository.</li> -<li>A notification is sent to the -<a href="https://groups.google.com/group/golang-announce">golang-announce</a> -mailing list to give users time to prepare their systems for the update.</li> -<li>Three working days following this notification, the fixes are applied to -the <a href="https://go.googlesource.com/go">public repository</a> and a new -Go release is issued.</li> -<li>On the date that the fixes are applied, announcements are sent to -<a href="https://groups.google.com/group/golang-announce">golang-announce</a>, -<a href="https://groups.google.com/group/golang-dev">golang-dev</a>, and -<a href="https://groups.google.com/group/golang-nuts">golang-nuts</a>. -</ol> - -<p> -This process can take some time, especially when coordination is required with -maintainers of other projects. Every effort will be made to handle the bug in -as timely a manner as possible, however it's important that we follow the -process described above to ensure that disclosures are handled consistently. -</p> - -<p> -For security issues that include the assignment of a CVE-ID, -the issue is listed publicly under the -<a href="https://www.cvedetails.com/vulnerability-list/vendor_id-14185/Golang.html">"Golang" product on the CVEDetails website</a> -as well as the -<a href="https://web.nvd.nist.gov/view/vuln/search">National Vulnerability Disclosure site</a>. -</p> - -<h3>Receiving Security Updates</h3> - -<p> -The best way to receive security announcements is to subscribe to the -<a href="https://groups.google.com/forum/#!forum/golang-announce">golang-announce</a> -mailing list. Any messages pertaining to a security issue will be prefixed -with <code>[security]</code>. -</p> - -<h3>Comments on This Policy</h3> - -<p> -If you have any suggestions to improve this policy, please send an email to -<a href="mailto:golang-dev@golang.org">golang-dev@golang.org</a> for discussion. -</p> - -<h3>PGP Key for <a href="mailto:security@golang.org">security@golang.org</a></h3> - -<p> -We accept PGP-encrypted email, but the majority of the security team -are not regular PGP users so it's somewhat inconvenient. Please only -use PGP for critical security reports. -</p> - -<pre> ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te -+fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT -J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L -ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75 -8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3 -oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc -7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF -X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN -JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk -xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE -0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB -tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCTgQTAQoA -OAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBGROHzjvGgTlE7xbTTpG0ZF5 -Wlg4BQJd8rfQAAoJEDpG0ZF5Wlg4198P/2YDcEwEqWBWjriLFXdTGOcVxQ7AC/mX -Fe576zwgmrbqO00IaHOOqZZYXKd078FZyg2qQKILvfSAQB7EtLwfPEgv3Wca/Jb/ -ma2hNz+AveiWDVuF4yPx8qvFer/6Yzv9+anfpUP//qfo/7L3VSYKwNAcqqNGvBMh -fLb7oWDSkdRmcu57c4WYv8i5BtxMRXs581r836bG3U0z0WQG8j64RpYp6sipqJnv -09l3R5SXd7kkS26ntLU4fgTNJ6Eim7YoXsqLtVe4VZHGYz3D0yHnvCBpbJa2WpP2 -QT6TtFizvKtQlC0k1uo88VV8DyRdp2V6BO9cSNecvXZh81H0SjtD9MwdMnpX3shT -LKu3L6wlJtb/EJVZg6+usJo0VunUdNTiBmy4FJrko7YYOSVHKKBA6dooufGNUSjw -9Tieqh4jnzpg6+aIrNugZIrABH2G0GD/SvUSfjli0i+D1mqQSsMcLzE1BBcichpS -htjv6fU8nI5XXmloUn1P2WBwziemsb7YcfBLNVeCxlAmoJn1hnOPjNzmKfVZk95E -VJNvVB76JCh+S/0bAba5+nBZ1HRn/FAbs9vfUpp1sOFf25jX9bDAZvkqwgyPpNv/ -jONK0zNXRD5AfKdCA1nkMI70NNS5oBxPowp95eKyuw4hCINvfuPq5sLJa3cIMj3M -MVO91QDs9eXxuQINBFXI1h0BEACXD0f/XJtCzgrdcoDWOggjXqu1r0pLt7Dvr5qB -ejSN5JHAwRB8i07Fi9+Gajz7J2flNaxNuJ8ZTwvf4QFMxFHLNaFtoY7RaLPDsFNU -nufklb6d0+txSmn+KVSToBRXFo7/z9H735Ulmmh6gsddiWgUY25fnwYsjLWNIG8u -wuX8qLkg6se8PUYrpN+06XmPwg8LUtIGvAYk7zTfHvBR1A/+2wo39A9HymcGe2sS -CtAVIj5DeqsK9UyZecGVi6aN84G3ykoyAH3+LH4dY3ymJA1CInEP5eMQzpfBSZCo -hHvLkYg0paC6d0Ka1gjNWBj2nYGvpQ+tMmLXYt8q/mzZHo2fEUe/9p3b0Kk9N4sl -GxKoV+oEv3r0EKmP+KxeZASbgW3OJmJ0BFejXYqIYCc8X2i2Ks0enj7yHA0Hexx/ -twjnfLydmK871zAjsGgKVjpkhpuMNwnGMr7bh6ajPeYnlIelmlAtJv2jwZsst9c6 -r7i7MRfYDfR+Gu2xBv/HQYzi/cRTVo/aaO6SzJhuCV21jri0PfnCoAD2ZWXlTH6D -UehQG8vDSH6XPCHfvQ0nD/8hO8FBVS0MwH3qt8g/h8vmliXmmZHP6+y4nSJfObTm -oGAp9Ko7tOj1JbFA91fz1Hi7T9dUCXDQCT1lx6rdb3q+x4RRNHdqhkIwg+LB9wNq -rrStZQARAQABiQI2BBgBCgAgAhsMFiEEZE4fOO8aBOUTvFtNOkbRkXlaWDgFAl3y -uFYACgkQOkbRkXlaWDiMgw//YvO2nZxWNSnQxqCEi8RXHV/3qsDDe8LloviFFV/M -GSiGZBOhLJ0bFm9aKKPoye5mrZXBKvEVPu0h1zn43+lZruhARPiTu2AecQ7fstET -PyXMZJ4mfLSFIaAumuH9dQEQJA9RRaFK8uzPRgAxVKyuNYS89psz/RvSeRM3B7Li -m9waLs42+5xtltR5F6HKPhrgS/rrFHKMrNiDNMMG2FYu1TjonA9QnzAxDPixH3A1 -VNEj6tVqVK8wCMpci3YaXZJntX0H3oO6qloL8qIpSMVrIiD4IDBDK13Jn3OJ7veq -iDn1mbGFYtfu8R+QV2xeDSJ6nEKfV3Mc3PFDbJMdzkOCdvExC8qsuUOqO4J6dRt7 -9NVptL0xZqlBjpF9fq9XCt7ZcQLDqbUF/rUs58yKSqEGrruXTx4cTLtwkTLcqJOw -/CSgFtE8cvY51uupuEFzfmt8JLNTxsm2X2NlsZYxFJhamVrGFroa55nqgKe3tF7e -AQBU641SZRYloqGgPK+4PB79vV4RyEDETOpD3PvpN2IafVWDacI4LXW0a4EKnPUj -7JwRBmZxESda3OixSONv/VcuEOyGAZUppbLM4XYTtslRIqdQJFr7Vkza/VIoUqaY -MkFIioHf2QndVwDXt3d0b0aAGaLeMRD1MFGtLNigEDD45nPeEpuGzXkUATpVWGiV -bIs= -=Nx85 ------END PGP PUBLIC KEY BLOCK----- -</pre> |