How to get in touch about a security concern?

hi @cokeBeer Can you send a PR to fix it. :)

Yes, I do would like to submit a PR to help you fix it. But directly PR may disclose the detail of the vulnerability too early and lead to some exploits by others. So in regular progress, as a security researcher, I need a safe way to submit my report to you, the matainer, and prove the danger of the vulnerability first. Both email or qq will be ok.
Github also suggests this, too. More information can be found in https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

OK, thanks. My email is [email protected]

I have sent my report to you. If you accept this vulnerability, please let me know.

👍 Thanks, 已经收到。

有修复建议吗？欢迎发PR。

@inhere Hi , would you like to publish a security advisory for this vulnerability?

@cokeBeer Hi, what do i need to do?

@inhere Hi, Can you see New draft security advisory in https://github.com/gookit/goutil/security/advisories? Click the button and you can create new security advisory. If you feel confused about some blanks, you can invite me as a collaborator to edit it.

@inhere any questions ?

@inhere Maybe you can take this one as a reference, a security advisory published by another famous golang tool library, lancet: GHSA-pp3f-xrw5-q5j4

@cokeBeer please see GHSA-fx2v-qfhr-4chv

@inhere Hi, the page is 404 for me. Did you invite me as a collabrator?

Hi @cokeBeer , Added you as a contributor

@inhere Hi, I have finished the security advisory content. Could you request a CVE identification number in that page before publish it ? (Only maintainers can do so)

OK. Do i need to publish it?

@inhere Yes, this can inform users of goutil to upgrade to more secure version.

hi, the GHSA has been published.