The following table shows which versions of Goca are currently receiving security updates:

We strongly recommend using the latest stable release to ensure you have the most recent security patches and improvements.

• Current Release: Receives all security updates immediately
• Maintenance Mode: Receives critical security updates for 6 months after new release
• End of Life: No longer receives security updates

We take the security of Goca seriously. If you believe you have found a security vulnerability, please report it to us responsibly.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by email to:

[email protected]

Include the following information in your report:

• Type of vulnerability
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the vulnerability, including how an attacker might exploit it

After submitting a report, you can expect:

1. Initial Response: Within 48 hours, we will acknowledge receipt of your report
2. Status Updates: We will provide regular updates on the progress of addressing the vulnerability
3. Verification: We will work to verify and reproduce the reported vulnerability
4. Resolution Timeline:
   • Critical vulnerabilities: Patch released within 7 days
   • High severity: Patch released within 14 days
   • Medium/Low severity: Patch released within 30 days
5. Disclosure: We will coordinate with you on the disclosure timeline

If we confirm the vulnerability:

• We will acknowledge your contribution in the security advisory (unless you prefer to remain anonymous)
• We will work on a fix and release a security patch
• We will publish a security advisory detailing the vulnerability after the patch is released
• We will credit you for the discovery (if desired)

If we determine the report is not a security vulnerability:

• We will explain why we do not consider it a vulnerability
• We may suggest alternative reporting channels if appropriate (e.g., bug reports)
• We will close the report

When using Goca, follow these security best practices:

1. Review Generated Code: Always review the code generated by Goca before deploying to production
2. Input Validation: Ensure proper validation of user inputs in your application
3. Dependency Management: Keep dependencies up to date using go mod tidy
4. Environment Variables: Never hardcode sensitive information; use environment variables

1. Keep Goca Updated: Regularly update to the latest version
2. Verify Downloads: Verify checksums when downloading binary releases
3. Use Official Sources: Only download Goca from official GitHub releases
4. Secure Your Workspace: Protect your development environment and generated code

Generated applications should implement:

1. Authentication and Authorization: Implement proper access controls
2. Input Sanitization: Validate and sanitize all user inputs
3. SQL Injection Prevention: Use parameterized queries (already included in generated repositories)
4. HTTPS: Use HTTPS in production environments
5. Rate Limiting: Implement rate limiting on API endpoints
6. Logging: Implement proper logging without exposing sensitive data

Goca generates code based on user-provided templates and configurations. Users are responsible for:

• Validating generated code before production use
• Implementing proper security controls in their applications
• Following security best practices in their specific use cases

Goca uses third-party dependencies. We:

• Regularly update dependencies to address known vulnerabilities
• Monitor security advisories for all dependencies
• Use go mod verify to ensure dependency integrity

When a security vulnerability is fixed:

1. We will release a patch version immediately
2. We will publish a security advisory on GitHub
3. We will update this document with any relevant information
4. We will notify users through release notes and GitHub notifications

This security policy applies to:

• Goca CLI tool
• Generated code templates
• Documentation and examples
• Official binary releases

This policy does NOT cover:

• Third-party forks or modifications
• User-generated templates or customizations
• Applications built using Goca (user responsibility)
• Infrastructure where Goca is deployed

Goca includes safety features to prevent common issues:

• Dry-run mode to preview changes
• File conflict detection
• Backup creation before overwriting
• Name conflict detection
• Version compatibility checks

Always use these features when modifying existing projects:

# Preview changes before generating
goca feature User --fields "name:string" --dry-run

# Create backup before overwriting
goca feature User --fields "name:string" --force --backup

If you have questions about this security policy or general security concerns (that are not vulnerabilities), you can:

• Open a GitHub issue with the security label for non-sensitive discussions
• Email [email protected] for private security discussions

We appreciate the security research community's efforts in responsibly disclosing vulnerabilities and helping to keep Goca and its users secure.

We would like to thank the following individuals for responsibly disclosing security vulnerabilities:

• (List will be updated as vulnerabilities are reported and fixed)

This security policy may be updated from time to time. Significant changes will be announced through:

• GitHub release notes
• Security advisories
• Project README

Last updated: October 15, 2025