Security Policy

Supported Versions

Only the last stable version at any given point.

Response Timeline

We aim to acknowledge vulnerability reports within 3 business days. Resolution or assessment is typically provided within 7 business days from the reporting date.

Scope

We address vulnerabilities that could compromise the confidentiality, integrity, or availability of GoReleaser or its users.

Credit

We are happy to publicly acknowledge reporters in release notes, unless anonymity is requested.

Reporting a Vulnerability

Vulnerabilities can be disclosed in private using GitHub advisories.

For issues specific to GoReleaser Pro, please refer to this instead.