This document outlines how the GoReleaser team responds to security incidents, critical bugs, or operational disruptions that could affect users or the trustworthiness of the project.
This plan applies to everything in the goreleaser/goreleaser repository, including code, releases, and GitHub workflows.
- Incident Lead: By default, @caarlos0.
- Security Contact: All incidents must be reported via only GitHub Security Advisories.
All security incidents are initially considered sensitive.
They must be reported privately and exclusively through GitHub Security Advisories.
Do not disclose incidents via issues, pull requests, or public channels.
- Acknowledge the report and thank the reporter.
- Assess the severity and validity. See CIA.
- Engage other maintainers if needed.
- Contain the issue if possible (revoke credentials, disable workflows).
- Investigate root cause and potential impact.
- Mitigate:
- Patch vulnerabilities.
- Rotate credentials (tokens/keys) if needed.
- Document all findings and actions.
Resolution or assessment will typically be provided within 30 days of acknowledgment.
All communication regarding security incidents must occur exclusively through the GitHub Security Advisories page.
Once the incident is resolved, a coordinated disclosure is agreed upon, and a fix is released, a public summary will be published. Typically we request a CVE as well.
- Review the incident and response.
- Update documentation or automation as needed.
- Publish an advisory for significant incidents.
- Credit everyone involved unless they explicitly ask to remain anonymous.