The following versions of Socket.IO Go implementation are currently being supported with security updates:
| Version | Supported |
|---|---|
| 3.x.x | ✅ |
| 2.x.x | ✅ |
| 1.x.x | ❌ |
We take the security of Socket.IO Go implementation seriously. If you believe you have found a security vulnerability, please follow these steps:
- Do Not disclose the vulnerability publicly.
- Submit a report through one of these channels:
- Open a security advisory
- Send an email to [maintainer's email] with details of the issue
Please include the following information in your report:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Affected versions
- Potential impact
- Any possible mitigations
- Initial response: within 48 hours
- Status update: within 5 business days
- Security patch: timeline will vary based on severity and complexity
- The security team will acknowledge receipt of your vulnerability report
- We will investigate and validate the issue
- We will develop and test a fix
- A security advisory will be published once the fix is ready
- The fix will be deployed to all supported versions
When using Socket.IO in your applications, consider these security best practices:
- Always use the latest stable version
- Implement proper authentication mechanisms
- Use secure WebSocket connections (wss://)
- Configure CORS policies appropriately
- Regularly update dependencies
Security vulnerabilities will be disclosed via:
- GitHub Security Advisories
- Release notes
- The official Socket.IO Go security mailing list (if applicable)
For security-related inquiries, contact:
- GitHub Security Advisory