If you believe you have found a security issue in Edgelet:

1. Do not open a public GitHub issue for exploitable vulnerabilities.
2. Email security@datasance.com with:
   • A description of the issue and impact
   • Steps to reproduce (proof-of-concept if available)
   • Affected version / commit and platform (linux embed, docker/podman, desktop)
3. We aim to acknowledge reports within 5 business days and provide a remediation timeline when confirmed.

For non-security bugs, use the public issue tracker or CONTRIBUTING.md.

Before release tags, run:

make security-code   # gosec on ./cmd ./internal ./pkg
make vulncheck       # govulncheck@v1.1.4 + go mod verify

• gosec is intentionally not in golangci-lint; static analysis is scoped to edgelet module trees.
• govulncheck scans ./cmd/... ./internal/... ./pkg/.... Goal: zero vulnerabilities affecting call paths.
• CI: .github/workflows/govulncheck.yml (on go.sum push, daily cron, manual dispatch).

• Go toolchain: track Go security releases; bump go in go.mod and CI pins promptly.
• Modules: go get -u / Dependabot PRs reviewed against make vulncheck.
• Embedded runtime pins (containerd, crun, CNI).

The following findings are documented exceptions accepted for v1.0.0-beta.1. They are enforced by scripts/vulncheck.sh (keep ALLOWED_VULNS in sync with this table).

Operator mitigation (docker/podman engine): run a patched Docker Engine (≥ 29.3.1) or Podman equivalent; restrict API access; do not rely on AuthZ plugins that inspect full request bodies.

New exceptions require:

1. Entry in this table (GO ID, CVE if any, component, rationale, fix timeline).
2. Matching ID in scripts/vulncheck.sh ALLOWED_VULNS.
3. Brief note under Known limitations in CHANGELOG.md at next release (15-4).

Undocumented findings fail make vulncheck and CI.