How to get in touch about a security concern?

This issue has been created since 2022-11-14.

Hi, I found an important security problem in goutil, how can I get in touch with you in a private way and submit my security report?

inhere wrote this answer on 2022-12-07

hi @cokeBeer Can you send a PR to fix it. :)

cokeBeer wrote this answer on 2022-12-07

Yes, I do would like to submit a PR to help you fix it. But directly PR may disclose the detail of the vulnerability too early and lead to some exploits by others. So in regular progress, as a security researcher, I need a safe way to submit my report to you, the matainer, and prove the danger of the vulnerability first. Both email or qq will be ok.
Github also suggests this, too. More information can be found in

inhere wrote this answer on 2022-12-07

OK, thanks. My email is [email protected]

cokeBeer wrote this answer on 2022-12-07

I have sent my report to you. If you accept this vulnerability, please let me know.

inhere wrote this answer on 2022-12-07

👍 Thanks, 已经收到。


cokeBeer wrote this answer on 2023-03-04

@inhere Hi , would you like to publish a security advisory for this vulnerability?

inhere wrote this answer on 2023-03-04

@cokeBeer Hi, what do i need to do?

cokeBeer wrote this answer on 2023-03-04

@inhere Hi, Can you see New draft security advisory in Click the button and you can create new security advisory. If you feel confused about some blanks, you can invite me as a collaborator to edit it.

cokeBeer wrote this answer on 2023-03-04

@inhere any questions ?

cokeBeer wrote this answer on 2023-03-04

@inhere Maybe you can take this one as a reference, a security advisory published by another famous golang tool library, lancet: GHSA-pp3f-xrw5-q5j4

inhere wrote this answer on 2023-03-04
cokeBeer wrote this answer on 2023-03-04

@inhere Hi, the page is 404 for me. Did you invite me as a collabrator?

inhere wrote this answer on 2023-03-05

Hi @cokeBeer , Added you as a contributor

cokeBeer wrote this answer on 2023-03-06

@inhere Hi, I have finished the security advisory content. Could you request a CVE identification number in that page before publish it ? (Only maintainers can do so)

inhere wrote this answer on 2023-03-06

OK. Do i need to publish it?

cokeBeer wrote this answer on 2023-03-06

@inhere Yes, this can inform users of goutil to upgrade to more secure version.

inhere wrote this answer on 2023-03-07

hi, the GHSA has been published.

More Details About Repo
Owner Name gookit
Repo Name goutil
Full Name gookit/goutil
Language Go
Created Date 2018-07-03
Updated Date 2023-03-22
Star Count 1263
Watcher Count 29
Fork Count 142
Issue Count 3


Issue Title Created Date Comment Count Updated Date
opt(source): Source performance does not seem to scale linearly with cores 6 2022-09-20 2023-02-03
Better explain format: split fields into different lines 2 2022-09-20 2023-02-23
Indeterminism of CID when using MFS 'files write' RPC 6 2022-08-15 2023-03-12
Memory usage spike with floats 0 2021-12-30 2023-02-17
Develop underthesea_core 1 2022-08-12 2023-01-20
CTkLabel.configure method shows unknown option "-text" 2 2022-10-01 2023-02-12
mupdf: cannot open gui: No such file or directory 4 2021-06-23 2023-02-10
Best way of simulating large networks 9 2021-04-29 2023-02-08
Feature suggestion: Memberships, User Authentication, Protected Posts 3 2021-05-05 2023-02-06
[Bug]: Filter fails to find a name in the SpamThreadsList.txt file 7 2022-09-28 2023-02-11
How should we handle file uploads? 81 2014-07-15 2023-02-13
Method http has died unexpectedly during software installation 144 2016-07-16 2023-02-21
Brew support 5 2021-02-12 2022-01-09
Toolbar button doesn't darken when active 5 2021-06-29 2023-02-09
unable to upload mp4 video 4 2022-05-04 2022-12-23
Uncaught Error: Call to a member function toString() when navigating to service templates from rendered previews 1 2022-06-23 2023-02-06
NvChad not loading plugins automatically on startup 7 2022-09-23 2023-02-03
请问有没有显示最终的connection string 1 2022-11-21 2023-02-09
Save image to server and send image name to MySQL 2 2019-05-11 2023-02-19
Add On change event in range slider component 5 2022-10-01 2022-09-26
[runtime_env] Support a local .zip file for working_dir 1 2021-11-14 2023-02-22
Drawing a line of thickness Number.MIN_VALUE (slightly) corrupts the pdf file 1 2022-04-18 2023-01-31
PETSc requires fftw instead of fftw-api 4 2022-09-14 2023-02-07
Feature: Spontaneous transitions... 2 2022-06-29 2023-02-15
PR #89548 - Add arm64 support to docker image creating tasks 0 2022-10-20 2023-02-06
`shouldDisambiguate` doesn't check user membership 1 2022-09-28 2023-01-24
From alpha-30 I get error Can't reexport the named export 'valueConverter' from non EcmaScript module (only default export is available) 11 2022-08-16 2023-03-19
Troubles with using storageManager 1 2022-02-07 2023-03-08
Need changes for GHC-9.0 3 2021-01-01 2023-02-12
[meta] Onboarding optimisations 0 2022-08-16 2023-02-19
Update onboarding screen 1 17 2022-08-16 2023-02-27
Particular lines readonly 8 2022-01-30 2023-02-12
[BUG][csharp][csharp-netcore] HttpClient is generated with an Obsolete warning. 4 2021-10-13 2022-11-02
[BUG][Typescript] Add 'constructor' to the list of reserved words since a field of that name is not allowed in typescript classes 0 2022-10-18 2023-01-14
Non-Markovian schemes for Brownian Dynamics 0 2018-06-17 2022-12-23
Proxy url rewrite support etc 0 2022-12-05 2023-03-12
Prompt for local network permissions should only happen after user indicates they wish to transfer data from another device. 3 2022-04-21 2023-02-14
pulumi config set is changing the entire Pulumi yaml file, not only the specific key 1 2022-01-14 2023-02-11
Can't launch io-github-autotest-libvirt tests 1 2021-12-02 2023-02-03
Confusing Cruise Control logs when finished `KafkaRebalance` resource is not deleted 1 2023-01-05 2023-02-06
Release fontawesome 0.5.0 0 2023-01-24 2023-03-03
CrossTable 列数少的时候,meta column 渲染过宽 1 2021-04-27 2023-02-26
initial-restructuring 0 2014-05-14 2022-12-06
fstmp files not removed when import failed 9 2022-05-31 2023-02-27
timezone string values results in parseZone() and clone() not a function error . 1 2021-05-12 2023-03-15
podman build failed 2 2021-10-10 2022-01-13
Rename get_peripherals in boards' initialization to create_peripherals 6 2022-10-06 2023-01-31
[Calendar日历]: 日期面板变化误触单元格onSelect 5 2020-11-27 2023-03-04
[Task]: Remove `method_exists` (BC layer) from fieldDefinitions 1 2022-12-14 2023-02-02
Could not set window size in Mac app 1 2022-03-23 2023-02-01