Skip to main content
The Go team takes security seriously and has established processes for handling security vulnerabilities.

Supported Versions

The Go team maintains and provides security updates for the past two Go releases.
For example, when Go 1.18.x is the latest stable release, both Go 1.17.x and Go 1.18.x receive security updates.

Release Cycle

Go follows a predictable release cycle:
  • Major releases: Approximately every 6 months
  • Minor releases: As needed for bug fixes and security patches
  • Security updates: Provided for the two most recent major releases
For detailed information, see the Go Release Cycle and the Release Maintenance documentation.

Reporting a Vulnerability

If you discover a security vulnerability in Go, please report it responsibly. Do not file a public issue.

How to Report

1

Review the Policy

Read the complete security policy at go.dev/security/policy.
2

Email the Security Team

Send a detailed report to [email protected].Include:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggested fixes (optional)
3

Wait for Response

The security team will acknowledge your report and work with you on addressing the issue.
4

Coordinated Disclosure

The team will coordinate with you on timing for public disclosure after a fix is available.

What to Include in Your Report

A good security report should include: 
**Summary**: Brief description of the vulnerability

**Go Version**: Output of `go version`

**Operating System**: OS and architecture affected

**Description**: Detailed explanation of the vulnerability

**Steps to Reproduce**:
1. Step one
2. Step two
3. Step three

**Impact**: What an attacker could accomplish

**Mitigation**: Suggested fix or workaround (if known)

Security Best Practices

While using Go:

Keep Go Updated

Regularly update to the latest patch release of your Go version

Monitor Announcements

Subscribe to the golang-announce mailing list for security updates

Review Dependencies

Keep your dependencies updated and check for known vulnerabilities

Use go.sum

Commit your go.sum file to ensure reproducible builds

Vulnerability Scanning

Go provides tools to help identify known vulnerabilities: 
# Install govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest

# Scan your project
govulncheck ./...

Security Updates

When security issues are fixed:
  1. Announcement: Posted to golang-announce
  2. CVE Assignment: Critical issues receive CVE identifiers
  3. Patch Release: Fixed in new patch releases for supported versions
  4. Documentation: Security advisories published on go.dev

Response Timeline

The Go security team aims to:
  • Acknowledge reports within 48 hours
  • Provide initial assessment within 7 days
  • Develop and test fixes as quickly as possible
  • Coordinate disclosure with the reporter

Additional Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us