| Version | Supported |
|---|---|
| v1.x.x | ✅ |
| < v1.0 | ❌ |
Please do not open a public issue for suspected vulnerabilities.
Report privately via one of:
- GitHub Security Advisories (preferred): use the Report a vulnerability button on the repository's Security tab.
- Email: open an issue requesting the security contact address and we will respond with one.
A useful report includes:
- A short description of the impact
- Reproduction steps or a minimal test case
- The commit / version you observed the issue on
We aim to acknowledge reports within 72 hours and to publish a fix or mitigation within 30 days for confirmed issues, sooner for critical bugs.
go-pubsub is an in-process, in-memory pub/sub library. Realistic
threats include:
- Concurrency bugs (data races, lock-order deadlocks) under the
go test -race ./...gate. - Memory growth (unbounded topic / subscription accumulation) —
mitigate with
pubsub.WithCapacity. - Channel-buffer exhaustion causing message loss — this is by design (fire-and-forget), not a vulnerability, but report it if it surprises a downstream user.
- Issues in
github.com/google/uuidorgithub.com/stretchr/testify— report upstream. - Theoretical attacks that require arbitrary code execution in the host process.