We actively support the following versions of sigtool with security updates:
| Version | Supported |
|---|---|
| main | ✅ |
| Latest release | ✅ |
If you discover a security vulnerability in sigtool, please report it responsibly:
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please:
- Email: Send details to the repository maintainers privately
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Status Updates: Weekly until resolved
- Fix Release: Based on severity (critical issues within 7 days)
When using sigtool:
- Input Validation: Always validate PE file sources before processing
- File Permissions: Use appropriate file permissions for extracted signatures
- Network Security: When downloading test files, verify sources and checksums
- Environment: Keep Go runtime and dependencies updated
This security policy covers:
- The core sigtool library (
sigtool.go) - The CLI tool (
cmd/gosigtool/) - Build and CI/CD processes
- Dependencies and their security updates
- Security of the PE files being analyzed (sigtool analyzes but doesn't validate the security of the target files themselves)
- Third-party tools and utilities not part of this repository
- Security of development environments and systems