The purpose of this security policy is to outline go-git's process for reporting, handling and disclosing security sensitive information.

The project follows a version support policy where only the latest minor release is actively supported. Therefore, only issues that impact the latest minor release will be fixed. Users are encouraged to upgrade to the latest minor/patch release to benefit from the most up-to-date features, bug fixes, and security enhancements.​

The supported versions policy applies to both the go-git library and its associated repositories within the go-git org.

Please report any security vulnerabilities or potential weaknesses in go-git privately via go-git-security@googlegroups.com. Do not publicly disclose the details of the vulnerability until a fix has been implemented and released.

During the process the project maintainers will investigate the report, so please provide detailed information, including steps to reproduce, affected versions, and any mitigations if known.

The project maintainers will acknowledge the receipt of the report and work with the reporter to validate and address the issue.

Please note that go-git does not have any bounty programs, and therefore do not provide financial compensation for disclosures.

The project maintainers will make every effort to promptly address security issues.

Once a security vulnerability is fixed, a security advisory will be published to notify users and provide appropriate mitigation measures.

All go-git advisories can be found at https://github.com/go-git/go-git/security/advisories.