The following versions of ads-go are currently supported with security updates:

We recommend always using the latest release for the best security and stability.

We take the security of ads-go seriously. If you discover a security vulnerability, please follow these steps:

Please do not open a public GitHub issue for security vulnerabilities, as this could put users at risk.

Report security vulnerabilities through one of these methods:

1. Go to the Security tab of the repository
2. Click "Report a vulnerability"
3. Fill out the form with details about the vulnerability

Alternatively, email security concerns to: jarmo_cluyse@hotmail.com

When reporting a vulnerability, please include:

• Description: Clear description of the vulnerability
• Impact: What could an attacker do with this vulnerability?
• Reproduction: Step-by-step instructions to reproduce the issue
• Affected versions: Which versions of ads-go are affected?
• Environment: Go version, OS, TwinCAT version (if relevant)
• Proof of concept: Code demonstrating the vulnerability (if possible)
• Suggested fix: If you have ideas for how to fix it

After you report a vulnerability:

• Initial response: Within 48 hours, we'll acknowledge receipt
• Assessment: Within 1 week, we'll assess the vulnerability and provide initial feedback
• Updates: We'll keep you informed of progress every 1-2 weeks
• Fix timeline: Critical vulnerabilities will be addressed within 30 days
• Disclosure: We'll coordinate with you on responsible disclosure timing

When using ads-go in your applications:

• Firewall: Restrict ADS port access (TCP 48898) to trusted networks
• TLS/VPN: Use TLS or VPN when connecting over untrusted networks
• Authentication: Configure TwinCAT router authentication where possible
• Network isolation: Run PLCs and ADS clients on isolated networks

• No hardcoding: Never hardcode AMS NetIDs, IP addresses, or credentials in source code
• Environment variables: Use environment variables or secure configuration files
• Secrets management: Use proper secrets management for production deployments
• Least privilege: Grant only necessary ADS permissions

• Sanitize input: Validate all user input before sending to PLC
• Type checking: Use strong typing and validate data types match PLC expectations
• Bounds checking: Check array indices and string lengths before writing
• Error handling: Always handle errors from ads-go operations

• Keep updated: Regularly update ads-go to the latest version
• Dependency scanning: Use tools like go list -m all and vulnerability scanners
• Vendor dependencies: Consider vendoring dependencies for production

• Sanitize logs: Don't log sensitive data (credentials, production values)
• Rate limiting: Implement rate limiting on ADS operations
• Monitoring: Monitor for unusual patterns or errors

The ADS protocol has inherent security limitations:

• No encryption: ADS does not encrypt data in transit (use VPN/TLS at network layer)
• Limited authentication: Authentication is router-based, not per-connection
• Industrial protocol: Designed for trusted industrial networks, not internet-facing applications

1. Never expose ADS directly to the internet
2. Use network segmentation to isolate PLCs
3. Implement application-layer security (authentication, authorization, rate limiting)
4. Monitor and audit all ADS operations in production

Security updates will be:

• Released as patch versions (e.g., 0.2.1)
• Documented in CHANGELOG.md
• Announced in GitHub releases
• Tagged with "security" label

Critical vulnerabilities may result in out-of-band releases.

When a vulnerability is fixed:

1. Private fix: We'll develop and test the fix privately
2. Security advisory: We'll publish a GitHub Security Advisory
3. Release: We'll release a new version with the fix
4. Announcement: We'll announce the security update in the release notes
5. Credit: We'll credit the reporter (unless they prefer anonymity)

We follow a 90-day disclosure policy: vulnerabilities will be publicly disclosed 90 days after the fix is released, or when the vulnerability becomes publicly known, whichever comes first.

For security concerns: jarmo_cluyse@hotmail.com

For general questions: Open a GitHub Discussion

Thank you for helping keep ads-go and its users secure!