We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported | Status |
|---|---|---|
| latest | ✅ | Active development |
| < latest | ❌ | Security fixes only for critical issues |
We take the security of capitan seriously. If you have discovered a security vulnerability in this project, please report it responsibly.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
-
GitHub Security Advisories (Preferred)
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Fill out the form with details about the vulnerability
-
Email
- Send details to the repository maintainer through GitHub profile contact information
- Use PGP encryption if possible for sensitive details
Please include the following information (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- Type of issue (e.g., race condition, deadlock, memory leak, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
- Your name and affiliation (optional)
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Initial Assessment: Within 7 days, we will provide an initial assessment of the report
- Resolution Timeline: We aim to resolve critical issues within 30 days
- Disclosure: We will coordinate with you on the disclosure timeline
We prefer all communications to be in English.
When using capitan in your applications, we recommend:
-
Keep Dependencies Updated
go get -u github.com/zoobz-io/capitan
-
Resource Management
- Call
Shutdown()before application exit - Close listeners when no longer needed
- Don't emit events after shutdown
- Call
-
Error Handling
- Implement proper error handling in listeners
- Don't panic in listener callbacks
- Log errors appropriately
-
Input Validation
- Validate event fields in listeners
- Use type assertions safely
- Handle missing fields gracefully
-
Concurrency Safety
- Don't modify events in listeners (they're meant to be immutable)
- Don't share mutable state across listeners without synchronization
- Be aware that listeners run asynchronously
capitan includes several built-in security features:
- Type Safety: Typed fields prevent type confusion
- Panic Recovery: Listener panics caught and isolated
- Worker Isolation: Per-signal workers prevent cascading failures
- Graceful Shutdown: Pending events processed on shutdown
- Zero Dependencies: No external dependencies reduce attack surface
This project uses:
- CodeQL: GitHub's semantic code analysis for security vulnerabilities
- golangci-lint: Static analysis including security linters
- Codecov: Coverage tracking to ensure security-critical code is tested
- Security vulnerabilities will be disclosed via GitHub Security Advisories
- We follow a 90-day disclosure timeline for non-critical issues
- Critical vulnerabilities may be disclosed sooner after patches are available
- We will credit reporters who follow responsible disclosure practices
We thank the following individuals for responsibly disclosing security issues:
This list is currently empty. Be the first to help improve our security!
Last Updated: 2024-10-24