| Version | Supported |
|---|---|
| 1.x | ✅ Supported |
| < 1.0 | ❌ Not Supported |
Please do not disclose security vulnerabilities through public GitHub issues.
If you discover a security vulnerability, please email the maintainers directly or use GitHub's private vulnerability reporting feature.
- Go to the Security tab
- Click "Report a vulnerability"
- Provide detailed information about the vulnerability
- Include steps to reproduce if applicable
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information (optional)
- Timeline for public disclosure (if any)
- Initial Response: Within 7 days
- Investigation: 1-2 weeks
- Fix & Release: As soon as possible
- Disclosure: After fix is released
When using gotunnel:
- Keep Dependencies Updated: Regularly update Go and other dependencies
- Use HTTPS: Always use HTTPS when tunneling sensitive data
- Authentication: Implement proper authentication for your tunneled services
- Access Control: Restrict who can access your tunnel endpoints
- Monitor Traffic: Regular audit and monitoring of tunnel connections
- Secure Configuration: Protect your tunnel configuration and credentials
- Gotunnel establishes persistent outbound TCP connections
- Ensure your tunnel server is trusted and properly secured
- Use strong credentials for any authentication mechanisms
- Monitor for unauthorized access attempts
- Regularly rotate API keys and credentials
We believe in responsible disclosure and ask that researchers:
- Give us reasonable time to fix vulnerabilities before public disclosure
- Avoid public discussion of unpatched vulnerabilities
- Provide detailed information to help us understand and fix the issue
- Act in good faith and respect privacy and confidentiality
Thank you for helping keep gotunnel secure! 🔒