Security is a priority. We maintain a proactive stance to identify and fix vulnerabilities in go-sanitize.

If you’ve found a security issue, please don’t open a public issue or PR.

Instead, send a private email to: 📧 go-sanitize@mrz1818.com

Include the following:

• 🕵️ Description of the issue and its impact
• 🧪 Steps to reproduce or a working PoC
• 🔧 Any known workarounds or mitigations

We welcome responsible disclosures from researchers, vendors, users, and curious tinkerers alike.

• 🧾 Acknowledgment within 72 hours
• 📢 Status updates every 5 business days
• ✅ Resolution target of 30 days (for confirmed vulnerabilities)

Prefer encrypted comms? Let us know in your initial email—we’ll reply with our PGP public key. All official security responses are signed with it.

We regularly scan for known vulnerabilities using:

• govulncheck: Checks Go code and dependencies for known vulnerabilities using the Go vulnerability database.
• ask nancy: As part of our CI (see fortress.yml), we run nancy to check Go dependencies for vulnerabilities against the OSS Index. This helps us catch issues in third-party packages early.
• gitleaks: Scans the repository for sensitive data or secrets that may have been accidentally committed to the codebase.

Want to run these yourself?

make govulncheck
# or run nancy via the CI workflow

This will check your local build for known issues in Go modules and dependencies.

We follow the OpenSSF best practices to ensure this repository remains compliant with industry‑standard open source security guidelines.

To proactively protect this repository, we use several automated GitHub workflows:

• CodeQL Analysis: Scans the codebase for security vulnerabilities and coding errors using GitHub's CodeQL engine on every push and pull request to the master branch.
• OpenSSF Scorecard: Periodically evaluates the repository against OpenSSF Scorecard checks, providing insights and recommendations for improving supply chain security and best practices.

These workflows help us identify, remediate, and prevent security issues as early as possible in the development lifecycle. For more details, see the workflow files in the .github/workflows/ directory.