Please do not open a public issue for a security problem. Public issues are visible to everyone before a fix exists, which puts users at risk.
Report privately through either channel:
- GitHub private advisory (preferred) — go to the Security tab and open a draft advisory. This keeps the report, discussion, and fix in one place and lets us credit you when it is resolved.
- Email — write to security@toawe.me with the details below.
Please include:
- the module version or commit affected,
- your Go version and OS,
- a minimal snippet that triggers it,
- what happens and what you expected, and
- a proof of concept if you have one.
http is maintained by a small volunteer team, so please allow a little time.
- We aim to acknowledge a report within 7 days.
- Once confirmed, we will work on a fix and coordinate a release with you before any public disclosure.
- With your permission we will credit you in the release notes.
Only the latest released version receives security fixes. Please upgrade to the current release before reporting, in case the issue is already resolved.