If you discover a security vulnerability in gokit, please report it responsibly.

• Acknowledgment within 48 hours of your report
• Status update within 5 business days with an assessment
• Fix timeline communicated once the issue is confirmed
• Credit in the release notes (unless you prefer to remain anonymous)

• We follow coordinated disclosure.
• Please allow us reasonable time to address the issue before any public disclosure.
• We will work with you to understand and resolve the issue promptly.

When using gokit in production:

• Keep dependencies up to date (make update && make tidy)
• Use the encryption package for sensitive data at rest
• Configure TLS via the security package for all network communication
• Never commit secrets — use environment variables or secret managers
• Review gosec findings regularly (make lint includes gosec)