If you discover a security vulnerability in go-code, please report it privately by opening a GitHub Security Advisory.

Do not open a public issue for security problems.

We aim to acknowledge reports within 72 hours and provide an initial assessment within 7 days. Coordinated disclosure is preferred — we will work with you on a timeline before any public announcement.

Only the latest minor release receives security fixes.