| Version | Supported |
|---|---|
| main | ✅ |
| < main | ❌ |
Only the latest version on the main branch receives security updates.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via one of these methods:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Provide details about the vulnerability
Send an email to security@netresearch.de with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability and determine severity
- Updates: We will keep you informed of our progress
- Resolution: We aim to resolve critical issues within 7 days
- Disclosure: We will coordinate disclosure timing with you
This project employs several security practices:
- CodeQL: Static analysis for security vulnerabilities
- govulncheck: Go vulnerability database checking
- gosec: Go security checker
- gitleaks: Secret detection in commits
- Trivy: Filesystem vulnerability scanning
- Dependabot: Dependency vulnerability alerts
- All changes require PR review
- Security-sensitive changes require additional scrutiny
- CI must pass before merging
- No external dependencies (stdlib only)
- Input validation for cron expressions and timezones
- Panic recovery in job execution
When using this library:
- Timezone Input: Timezone names come from user input - validate with
time.LoadLocationbefore use - Panic Recovery: Always use
cron.Recover()wrapper in production - Logging: Be cautious about logging cron expressions that may contain sensitive scheduling patterns
- Goroutine Leaks: Ensure
cron.Stop()is called during shutdown
- We follow coordinated disclosure practices
- We credit reporters (unless they prefer anonymity)
- We aim to fix vulnerabilities before public disclosure
- We will publish security advisories for significant issues