Only lastest two minor version releases are supported (>= 0.12) for accepting vulnerability reports and patching fixes.
Existing vulnerability reports are being tracked in Gogs Vulnerability Reports.
- Report a vulnerability:
- We strongly enourage to use https://huntr.dev/ for submitting and managing status of vulnerability reports.
- Alternatively, you may send vulnerability reports through emails to security@gogs.io.
- Create a dummy issue with high-level description of the security vulnerability for credibility and tracking purposes.
- Project maintainers review the report and either:
- Ask clarifying questions
- Confirm or deny the vulnerability
- Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch.
- The latter is usually significantly slower.
- Patch releases will be made for the supported versions.
- Publish the original vulnerability report and a new GitHub security advisory.
Thank you!