diff --git a/content/static/doc/security.html b/content/static/doc/security.html new file mode 100644 index 0000000000..5f6ff23a9f --- /dev/null +++ b/content/static/doc/security.html @@ -0,0 +1,183 @@ + + +
+Please report to us any issues you find. +This document explains how to do that and what to expect in return. +
+ ++All security bugs in the Go distribution should be reported by email to +security@golang.org. +This mail is delivered to a small security team. +Your email will be acknowledged within 24 hours, and you'll receive a more +detailed response to your email within 72 hours indicating the next steps in +handling your report. +
+ ++To ensure your report is not marked as spam, please include the word "vulnerability" +anywhere in your email. Please use a descriptive subject line for your report email. +
+ ++After the initial reply to your report, the security team will endeavor to keep +you informed of the progress being made towards a fix and full announcement. +These updates will be sent at least every five days. +In reality, this is more likely to be every 24-48 hours. +
+ ++If you have not received a reply to your email within 48 hours or you have not +heard from the security team for the past five days please contact the Go +security team directly: +
+ ++Please note that golang-dev is a public discussion forum. +When escalating on this list, please do not disclose the details of the issue. +Simply state that you're trying to reach a member of the security team. +
+ ++If you believe that an existing issue +is security-related, we ask that you send an email to +security@golang.org. +The email should include the issue ID and a short description of why it should +be handled according to this security policy. +
+ +The Go project uses the following disclosure process:
+ ++This process can take some time, especially when coordination is required with +maintainers of other projects. Every effort will be made to handle the bug in +as timely a manner as possible, however it's important that we follow the +process described above to ensure that disclosures are handled consistently. +
+ ++For security issues that include the assignment of a CVE-ID, +the issue is listed publicly under the +"Golang" product on the CVEDetails website +as well as the +National Vulnerability Disclosure site. +
+ +
+The best way to receive security announcements is to subscribe to the
+golang-announce
+mailing list. Any messages pertaining to a security issue will be prefixed
+with [security]
.
+
+If you have any suggestions to improve this policy, please send an email to +golang-dev@golang.org for discussion. +
+ ++We accept PGP-encrypted email, but the majority of the security team +are not regular PGP users so it's somewhat inconvenient. Please only +use PGP for critical security reports. +
+ ++-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te ++fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT +J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L +ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75 +8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3 +oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc +7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF +X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN +JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk +xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE +0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB +tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCTgQTAQoA +OAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBGROHzjvGgTlE7xbTTpG0ZF5 +Wlg4BQJd8rfQAAoJEDpG0ZF5Wlg4198P/2YDcEwEqWBWjriLFXdTGOcVxQ7AC/mX +Fe576zwgmrbqO00IaHOOqZZYXKd078FZyg2qQKILvfSAQB7EtLwfPEgv3Wca/Jb/ +ma2hNz+AveiWDVuF4yPx8qvFer/6Yzv9+anfpUP//qfo/7L3VSYKwNAcqqNGvBMh +fLb7oWDSkdRmcu57c4WYv8i5BtxMRXs581r836bG3U0z0WQG8j64RpYp6sipqJnv +09l3R5SXd7kkS26ntLU4fgTNJ6Eim7YoXsqLtVe4VZHGYz3D0yHnvCBpbJa2WpP2 +QT6TtFizvKtQlC0k1uo88VV8DyRdp2V6BO9cSNecvXZh81H0SjtD9MwdMnpX3shT +LKu3L6wlJtb/EJVZg6+usJo0VunUdNTiBmy4FJrko7YYOSVHKKBA6dooufGNUSjw +9Tieqh4jnzpg6+aIrNugZIrABH2G0GD/SvUSfjli0i+D1mqQSsMcLzE1BBcichpS +htjv6fU8nI5XXmloUn1P2WBwziemsb7YcfBLNVeCxlAmoJn1hnOPjNzmKfVZk95E +VJNvVB76JCh+S/0bAba5+nBZ1HRn/FAbs9vfUpp1sOFf25jX9bDAZvkqwgyPpNv/ +jONK0zNXRD5AfKdCA1nkMI70NNS5oBxPowp95eKyuw4hCINvfuPq5sLJa3cIMj3M +MVO91QDs9eXxuQINBFXI1h0BEACXD0f/XJtCzgrdcoDWOggjXqu1r0pLt7Dvr5qB +ejSN5JHAwRB8i07Fi9+Gajz7J2flNaxNuJ8ZTwvf4QFMxFHLNaFtoY7RaLPDsFNU +nufklb6d0+txSmn+KVSToBRXFo7/z9H735Ulmmh6gsddiWgUY25fnwYsjLWNIG8u +wuX8qLkg6se8PUYrpN+06XmPwg8LUtIGvAYk7zTfHvBR1A/+2wo39A9HymcGe2sS +CtAVIj5DeqsK9UyZecGVi6aN84G3ykoyAH3+LH4dY3ymJA1CInEP5eMQzpfBSZCo +hHvLkYg0paC6d0Ka1gjNWBj2nYGvpQ+tMmLXYt8q/mzZHo2fEUe/9p3b0Kk9N4sl +GxKoV+oEv3r0EKmP+KxeZASbgW3OJmJ0BFejXYqIYCc8X2i2Ks0enj7yHA0Hexx/ +twjnfLydmK871zAjsGgKVjpkhpuMNwnGMr7bh6ajPeYnlIelmlAtJv2jwZsst9c6 +r7i7MRfYDfR+Gu2xBv/HQYzi/cRTVo/aaO6SzJhuCV21jri0PfnCoAD2ZWXlTH6D +UehQG8vDSH6XPCHfvQ0nD/8hO8FBVS0MwH3qt8g/h8vmliXmmZHP6+y4nSJfObTm +oGAp9Ko7tOj1JbFA91fz1Hi7T9dUCXDQCT1lx6rdb3q+x4RRNHdqhkIwg+LB9wNq +rrStZQARAQABiQI2BBgBCgAgAhsMFiEEZE4fOO8aBOUTvFtNOkbRkXlaWDgFAl3y +uFYACgkQOkbRkXlaWDiMgw//YvO2nZxWNSnQxqCEi8RXHV/3qsDDe8LloviFFV/M +GSiGZBOhLJ0bFm9aKKPoye5mrZXBKvEVPu0h1zn43+lZruhARPiTu2AecQ7fstET +PyXMZJ4mfLSFIaAumuH9dQEQJA9RRaFK8uzPRgAxVKyuNYS89psz/RvSeRM3B7Li +m9waLs42+5xtltR5F6HKPhrgS/rrFHKMrNiDNMMG2FYu1TjonA9QnzAxDPixH3A1 +VNEj6tVqVK8wCMpci3YaXZJntX0H3oO6qloL8qIpSMVrIiD4IDBDK13Jn3OJ7veq +iDn1mbGFYtfu8R+QV2xeDSJ6nEKfV3Mc3PFDbJMdzkOCdvExC8qsuUOqO4J6dRt7 +9NVptL0xZqlBjpF9fq9XCt7ZcQLDqbUF/rUs58yKSqEGrruXTx4cTLtwkTLcqJOw +/CSgFtE8cvY51uupuEFzfmt8JLNTxsm2X2NlsZYxFJhamVrGFroa55nqgKe3tF7e +AQBU641SZRYloqGgPK+4PB79vV4RyEDETOpD3PvpN2IafVWDacI4LXW0a4EKnPUj +7JwRBmZxESda3OixSONv/VcuEOyGAZUppbLM4XYTtslRIqdQJFr7Vkza/VIoUqaY +MkFIioHf2QndVwDXt3d0b0aAGaLeMRD1MFGtLNigEDD45nPeEpuGzXkUATpVWGiV +bIs= +=Nx85 +-----END PGP PUBLIC KEY BLOCK----- +diff --git a/content/static/gen.go b/content/static/gen.go index edcdac28c3..5882c2f5e9 100644 --- a/content/static/gen.go +++ b/content/static/gen.go @@ -43,6 +43,7 @@ var files = []string{ "doc/devel/weekly.html", "doc/docs.html", "doc/root.html", + "doc/security.html", "error.html", "example.html", "godoc.html", diff --git a/content/static/static.go b/content/static/static.go index b51a15c9d6..f2f648a434 100644 --- a/content/static/static.go +++ b/content/static/static.go @@ -61,6 +61,8 @@ var Files = map[string]string{ "doc/root.html": "\x0a\x0a
\x0a\x20\x20\x20\x20\x20\x20Binary\x20distributions\x20available\x20for
\x0a\x20\x20\x20\x20\x20\x20Linux,\x20macOS,\x20Windows,\x20and\x20more.\x0a\x20\x20\x20\x20
\x0aPlease\x20report\x20to\x20us\x20any\x20issues\x20you\x20find.\x0aThis\x20document\x20explains\x20how\x20to\x20do\x20that\x20and\x20what\x20to\x20expect\x20in\x20return.\x0a
\x0a\x0a\x0aAll\x20security\x20bugs\x20in\x20the\x20Go\x20distribution\x20should\x20be\x20reported\x20by\x20email\x20to\x0asecurity@golang.org.\x0aThis\x20mail\x20is\x20delivered\x20to\x20a\x20small\x20security\x20team.\x0aYour\x20email\x20will\x20be\x20acknowledged\x20within\x2024\x20hours,\x20and\x20you'll\x20receive\x20a\x20more\x0adetailed\x20response\x20to\x20your\x20email\x20within\x2072\x20hours\x20indicating\x20the\x20next\x20steps\x20in\x0ahandling\x20your\x20report.\x0a
\x0a\x0a\x0aTo\x20ensure\x20your\x20report\x20is\x20not\x20marked\x20as\x20spam,\x20please\x20include\x20the\x20word\x20\"vulnerability\"\x0aanywhere\x20in\x20your\x20email.\x20Please\x20use\x20a\x20descriptive\x20subject\x20line\x20for\x20your\x20report\x20email.\x0a
\x0a\x0a\x0aAfter\x20the\x20initial\x20reply\x20to\x20your\x20report,\x20the\x20security\x20team\x20will\x20endeavor\x20to\x20keep\x0ayou\x20informed\x20of\x20the\x20progress\x20being\x20made\x20towards\x20a\x20fix\x20and\x20full\x20announcement.\x0aThese\x20updates\x20will\x20be\x20sent\x20at\x20least\x20every\x20five\x20days.\x0aIn\x20reality,\x20this\x20is\x20more\x20likely\x20to\x20be\x20every\x2024-48\x20hours.\x0a
\x0a\x0a\x0aIf\x20you\x20have\x20not\x20received\x20a\x20reply\x20to\x20your\x20email\x20within\x2048\x20hours\x20or\x20you\x20have\x20not\x0aheard\x20from\x20the\x20security\x20team\x20for\x20the\x20past\x20five\x20days\x20please\x20contact\x20the\x20Go\x0asecurity\x20team\x20directly:\x0a
\x0a\x0a\x0aPlease\x20note\x20that\x20golang-dev\x20is\x20a\x20public\x20discussion\x20forum.\x0aWhen\x20escalating\x20on\x20this\x20list,\x20please\x20do\x20not\x20disclose\x20the\x20details\x20of\x20the\x20issue.\x0aSimply\x20state\x20that\x20you're\x20trying\x20to\x20reach\x20a\x20member\x20of\x20the\x20security\x20team.\x0a
\x0a\x0a\x0aIf\x20you\x20believe\x20that\x20an\x20existing\x20issue\x0ais\x20security-related,\x20we\x20ask\x20that\x20you\x20send\x20an\x20email\x20to\x0asecurity@golang.org.\x0aThe\x20email\x20should\x20include\x20the\x20issue\x20ID\x20and\x20a\x20short\x20description\x20of\x20why\x20it\x20should\x0abe\x20handled\x20according\x20to\x20this\x20security\x20policy.\x0a
\x0a\x0aThe\x20Go\x20project\x20uses\x20the\x20following\x20disclosure\x20process:
\x0a\x0a\x0aThis\x20process\x20can\x20take\x20some\x20time,\x20especially\x20when\x20coordination\x20is\x20required\x20with\x0amaintainers\x20of\x20other\x20projects.\x20Every\x20effort\x20will\x20be\x20made\x20to\x20handle\x20the\x20bug\x20in\x0aas\x20timely\x20a\x20manner\x20as\x20possible,\x20however\x20it's\x20important\x20that\x20we\x20follow\x20the\x0aprocess\x20described\x20above\x20to\x20ensure\x20that\x20disclosures\x20are\x20handled\x20consistently.\x0a
\x0a\x0a\x0aFor\x20security\x20issues\x20that\x20include\x20the\x20assignment\x20of\x20a\x20CVE-ID,\x0athe\x20issue\x20is\x20listed\x20publicly\x20under\x20the\x0a\"Golang\"\x20product\x20on\x20the\x20CVEDetails\x20website\x0aas\x20well\x20as\x20the\x0aNational\x20Vulnerability\x20Disclosure\x20site.\x0a
\x0a\x0a\x0aThe\x20best\x20way\x20to\x20receive\x20security\x20announcements\x20is\x20to\x20subscribe\x20to\x20the\x0agolang-announce\x0amailing\x20list.\x20Any\x20messages\x20pertaining\x20to\x20a\x20security\x20issue\x20will\x20be\x20prefixed\x0awith\x20[security]
.\x0a
\x0aIf\x20you\x20have\x20any\x20suggestions\x20to\x20improve\x20this\x20policy,\x20please\x20send\x20an\x20email\x20to\x0agolang-dev@golang.org\x20for\x20discussion.\x0a
\x0a\x0a\x0aWe\x20accept\x20PGP-encrypted\x20email,\x20but\x20the\x20majority\x20of\x20the\x20security\x20team\x0aare\x20not\x20regular\x20PGP\x20users\x20so\x20it's\x20somewhat\x20inconvenient.\x20Please\x20only\x0ause\x20PGP\x20for\x20critical\x20security\x20reports.\x0a
\x0a\x0a\x0a-----BEGIN\x20PGP\x20PUBLIC\x20KEY\x20BLOCK-----\x0a\x0amQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te\x0a+fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT\x0aJ80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L\x0aksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75\x0a8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3\x0aoJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc\x0a7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF\x0aX3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN\x0aJiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk\x0axddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE\x0a0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB\x0atCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCTgQTAQoA\x0aOAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBGROHzjvGgTlE7xbTTpG0ZF5\x0aWlg4BQJd8rfQAAoJEDpG0ZF5Wlg4198P/2YDcEwEqWBWjriLFXdTGOcVxQ7AC/mX\x0aFe576zwgmrbqO00IaHOOqZZYXKd078FZyg2qQKILvfSAQB7EtLwfPEgv3Wca/Jb/\x0ama2hNz+AveiWDVuF4yPx8qvFer/6Yzv9+anfpUP//qfo/7L3VSYKwNAcqqNGvBMh\x0afLb7oWDSkdRmcu57c4WYv8i5BtxMRXs581r836bG3U0z0WQG8j64RpYp6sipqJnv\x0a09l3R5SXd7kkS26ntLU4fgTNJ6Eim7YoXsqLtVe4VZHGYz3D0yHnvCBpbJa2WpP2\x0aQT6TtFizvKtQlC0k1uo88VV8DyRdp2V6BO9cSNecvXZh81H0SjtD9MwdMnpX3shT\x0aLKu3L6wlJtb/EJVZg6+usJo0VunUdNTiBmy4FJrko7YYOSVHKKBA6dooufGNUSjw\x0a9Tieqh4jnzpg6+aIrNugZIrABH2G0GD/SvUSfjli0i+D1mqQSsMcLzE1BBcichpS\x0ahtjv6fU8nI5XXmloUn1P2WBwziemsb7YcfBLNVeCxlAmoJn1hnOPjNzmKfVZk95E\x0aVJNvVB76JCh+S/0bAba5+nBZ1HRn/FAbs9vfUpp1sOFf25jX9bDAZvkqwgyPpNv/\x0ajONK0zNXRD5AfKdCA1nkMI70NNS5oBxPowp95eKyuw4hCINvfuPq5sLJa3cIMj3M\x0aMVO91QDs9eXxuQINBFXI1h0BEACXD0f/XJtCzgrdcoDWOggjXqu1r0pLt7Dvr5qB\x0aejSN5JHAwRB8i07Fi9+Gajz7J2flNaxNuJ8ZTwvf4QFMxFHLNaFtoY7RaLPDsFNU\x0anufklb6d0+txSmn+KVSToBRXFo7/z9H735Ulmmh6gsddiWgUY25fnwYsjLWNIG8u\x0awuX8qLkg6se8PUYrpN+06XmPwg8LUtIGvAYk7zTfHvBR1A/+2wo39A9HymcGe2sS\x0aCtAVIj5DeqsK9UyZecGVi6aN84G3ykoyAH3+LH4dY3ymJA1CInEP5eMQzpfBSZCo\x0ahHvLkYg0paC6d0Ka1gjNWBj2nYGvpQ+tMmLXYt8q/mzZHo2fEUe/9p3b0Kk9N4sl\x0aGxKoV+oEv3r0EKmP+KxeZASbgW3OJmJ0BFejXYqIYCc8X2i2Ks0enj7yHA0Hexx/\x0atwjnfLydmK871zAjsGgKVjpkhpuMNwnGMr7bh6ajPeYnlIelmlAtJv2jwZsst9c6\x0ar7i7MRfYDfR+Gu2xBv/HQYzi/cRTVo/aaO6SzJhuCV21jri0PfnCoAD2ZWXlTH6D\x0aUehQG8vDSH6XPCHfvQ0nD/8hO8FBVS0MwH3qt8g/h8vmliXmmZHP6+y4nSJfObTm\x0aoGAp9Ko7tOj1JbFA91fz1Hi7T9dUCXDQCT1lx6rdb3q+x4RRNHdqhkIwg+LB9wNq\x0arrStZQARAQABiQI2BBgBCgAgAhsMFiEEZE4fOO8aBOUTvFtNOkbRkXlaWDgFAl3y\x0auFYACgkQOkbRkXlaWDiMgw//YvO2nZxWNSnQxqCEi8RXHV/3qsDDe8LloviFFV/M\x0aGSiGZBOhLJ0bFm9aKKPoye5mrZXBKvEVPu0h1zn43+lZruhARPiTu2AecQ7fstET\x0aPyXMZJ4mfLSFIaAumuH9dQEQJA9RRaFK8uzPRgAxVKyuNYS89psz/RvSeRM3B7Li\x0am9waLs42+5xtltR5F6HKPhrgS/rrFHKMrNiDNMMG2FYu1TjonA9QnzAxDPixH3A1\x0aVNEj6tVqVK8wCMpci3YaXZJntX0H3oO6qloL8qIpSMVrIiD4IDBDK13Jn3OJ7veq\x0aiDn1mbGFYtfu8R+QV2xeDSJ6nEKfV3Mc3PFDbJMdzkOCdvExC8qsuUOqO4J6dRt7\x0a9NVptL0xZqlBjpF9fq9XCt7ZcQLDqbUF/rUs58yKSqEGrruXTx4cTLtwkTLcqJOw\x0a/CSgFtE8cvY51uupuEFzfmt8JLNTxsm2X2NlsZYxFJhamVrGFroa55nqgKe3tF7e\x0aAQBU641SZRYloqGgPK+4PB79vV4RyEDETOpD3PvpN2IafVWDacI4LXW0a4EKnPUj\x0a7JwRBmZxESda3OixSONv/VcuEOyGAZUppbLM4XYTtslRIqdQJFr7Vkza/VIoUqaY\x0aMkFIioHf2QndVwDXt3d0b0aAGaLeMRD1MFGtLNigEDD45nPeEpuGzXkUATpVWGiV\x0abIs=\x0a=Nx85\x0a-----END\x20PGP\x20PUBLIC\x20KEY\x20BLOCK-----\x0a\x0a", + "error.html": "\x0a\x0a
\x0a{{html\x20.}}\x0a
\x0a", "example.html": "\xe2\x96\xb9\x20Example{{example_suffix\x20.Name}}
\x0a\x20\x20\xe2\x96\xbe\x20Example{{example_suffix\x20.Name}}
\x0a\x20\x20\x20\x20{{with\x20.Doc}}{{html\x20.}}
{{end}}\x0a\x20\x20\x20\x20{{$output\x20:=\x20.Output}}\x0a\x20\x20\x20\x20{{with\x20.Play}}\x0a\x20\x20\x20\x20\x20\x20{{html\x20$output}}
Code:
\x0a\x20\x20\x20\x20\x20\x20{{.Code}}\x0a\x20\x20\x20\x20\x20\x20{{with\x20.Output}}\x0a\x20\x20\x20\x20\x20\x20\x20\x20
Output:
\x0a\x20\x20\x20\x20\x20\x20\x20\x20{{html\x20.}}\x0a\x20\x20\x20\x20\x20\x20{{end}}\x0a\x20\x20\x20\x20{{end}}\x0a\x20\x20