We actively support the following versions of go-micro:
| Version | Supported |
|---|---|
| 5.x | ✅ |
| 4.x | ❌ |
| 3.x | ❌ |
| < 3.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Send security vulnerability reports to: [email protected]
Or use GitHub's private security advisory feature: https://github.com/micro/go-micro/security/advisories/new
Please include as much of the following information as possible:
- Type of vulnerability (e.g., RCE, XSS, SQL injection, etc.)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 5 business days
- Fix Timeline: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: Next release cycle
- We follow coordinated disclosure
- We'll work with you to understand and fix the issue
- We'll credit you in the security advisory (unless you prefer to remain anonymous)
- Please give us reasonable time to fix before public disclosure
- We'll publish a security advisory on GitHub when the fix is released
When using go-micro in production:
import "go-micro.dev/v5/transport"
// Enable TLS verification (recommended)
os.Setenv("MICRO_TLS_SECURE", "true")
// Or use SecureConfig explicitly
tlsConfig := transport.SecureConfig()See TLS Security Update for details.
import "go-micro.dev/v5/auth"
// Use JWT authentication
service := micro.NewService(
micro.Auth(auth.NewAuth()),
)Always validate and sanitize inputs in your handlers:
func (h *Handler) Create(ctx context.Context, req *Request, rsp *Response) error {
// Validate input
if req.Name == "" {
return errors.BadRequest("handler.create", "name is required")
}
// Sanitize and process
// ...
}Implement rate limiting for public-facing services:
import "go-micro.dev/v5/client"
// Client-side rate limiting
client.NewClient(
client.RequestTimeout(time.Second * 5),
client.Retries(3),
)Never commit secrets to version control:
// Good: Use environment variables
apiKey := os.Getenv("API_KEY")
// Better: Use a secrets manager
import "github.com/hashicorp/vault/api"Regularly update dependencies:
# Check for vulnerabilities
go list -json -m all | nancy sleuth
# Update dependencies
go get -u ./...
go mod tidygo-micro uses reflection for automatic handler registration. While this is a deliberate design choice for developer productivity, be aware:
- Type safety is enforced at runtime, not compile time
- Malformed requests won't crash services (errors are returned)
- See Performance Considerations
Default behavior in v5: TLS certificate verification is disabled for backward compatibility.
Production recommendation: Enable secure mode:
export MICRO_TLS_SECURE=trueThis will be the default in v6.
Security updates are published as:
- GitHub Security Advisories
- Release notes with
[SECURITY]prefix - CVE entries for critical issues
Subscribe to releases: https://github.com/micro/go-micro/releases
We currently do not offer a bug bounty program, but we greatly appreciate responsible disclosure and will publicly credit researchers who report valid security issues.
For security questions that are not vulnerabilities, please:
- Open a discussion: https://github.com/micro/go-micro/discussions
- Join Discord: https://discord.gg/jwTYuUVAGh
- Email: [email protected]