|
| 1 | +# ssh_config security policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +As of September 2025, we're not aware of any security problems with ssh_config, |
| 6 | +past or present. That said, we recommend always using the latest version of |
| 7 | +ssh_config, and of the Go programming language, to ensure you have the most |
| 8 | +recent security fixes. |
| 9 | + |
| 10 | +## Reporting a Vulnerability |
| 11 | + |
| 12 | +We take security vulnerabilities seriously. If you discover a security vulnerability in ssh_config, please report it responsibly by following these steps: |
| 13 | + |
| 14 | +### How to Report |
| 15 | + |
| 16 | +Please follow the instructions outlined here to report a vulnerability |
| 17 | +privately: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability |
| 18 | + |
| 19 | +If these are insufficient - it is not hard to find Kevin's contact information |
| 20 | +on the Internet. |
| 21 | + |
| 22 | +### What to Include |
| 23 | + |
| 24 | +When reporting a vulnerability, please include a clear description of the vulnerability, steps to reproduce the issue, the potential impact, as well as any fixes you might have. |
| 25 | + |
| 26 | +### Response Timeline |
| 27 | + |
| 28 | +I'll try to acknowledge and patch the issue as quickly as possible. |
| 29 | + |
| 30 | +Security advisories for this project will be published through: |
| 31 | +- GitHub Security Advisories on this repository |
| 32 | +- an Issue on this repository |
| 33 | +- The project's release notes |
| 34 | +- Go vulnerability databases |
| 35 | + |
| 36 | +If you are using `ssh_config` and would like to be on a "pre-release" |
| 37 | +distribution list for coordinating releases, please contact Kevin directly. |
| 38 | + |
| 39 | +### Security Considerations |
| 40 | + |
| 41 | +When using ssh_config, please be aware of these security considerations. |
| 42 | + |
| 43 | +#### File System Access |
| 44 | + |
| 45 | +This library reads SSH configuration files from the file system. Try to ensure |
| 46 | +proper file permissions on SSH config files (typically 600 or 644), and be |
| 47 | +cautious when parsing config files from untrusted sources. |
| 48 | + |
| 49 | +#### Input Validation |
| 50 | + |
| 51 | +The parser handles user-provided SSH configuration data. While we try our best |
| 52 | +to parse the data appropriately, malformed configuration files could potentially |
| 53 | +cause issues. Please try to validate and sanitize any configuration data from |
| 54 | +external sources. |
| 55 | + |
| 56 | +#### Dependencies |
| 57 | + |
| 58 | +This project does not have any third party dependencies. Please try to keep your |
| 59 | +Go version up to date. |
| 60 | + |
| 61 | +## Acknowledgments |
| 62 | + |
| 63 | +We appreciate security researchers and users who responsibly disclose vulnerabilities. Contributors who report valid security issues will be acknowledged in our security advisories (unless they prefer to remain anonymous). |
0 commit comments