Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability within Go Active Record, please send an email to security@forester.co. All security vulnerabilities will be promptly addressed.
Please do not create a public GitHub issue for security vulnerabilities.
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Initial response: Within 48 hours
- Status update: Within 1 week
- Fix release: Within 30 days (depending on severity)
We follow responsible disclosure practices:
- Private reporting: Report vulnerabilities privately
- Timeline: We'll work with you to establish a timeline for disclosure
- Credit: We'll credit you in the security advisory
- Coordination: We'll coordinate the public disclosure
When using Go Active Record:
- Keep dependencies updated: Regularly update your dependencies
- Use HTTPS: Always use HTTPS in production
- Validate input: Always validate and sanitize user input
- Use prepared statements: The library uses prepared statements by default
- Follow principle of least privilege: Use database users with minimal required permissions
Go Active Record includes several security features:
- SQL injection protection: Uses prepared statements
- Input validation: Built-in validation framework
- Type safety: Strong typing prevents many security issues
- Connection security: Supports SSL/TLS connections
Do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to security@forester.co.
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the requested information listed above (as much as you can provide) to help us better understand the nature and scope of the possible issue.